On 5/20/19 2:59 PM, Steve Grubb wrote: > So...I went digging through the source code of useradd.c. In main is this > comment: > > /* > * Do the hard stuff: > * - open the files, > * - create the user entries, > * - create the home directory, > * - create user mail spool, > * - flush nscd caches for passwd and group services, > * - then close and update the files. > */ > > If you dig around, you'll see in the above process it calls usr_update(). > This is where the audit event is. The very next function call is close_files. > This is where it actually writes to the files where it would be visible to > auditd. So, it looks like auditing in shadow-utils is busted. > > I also see where its calling pam_tally2 which is deprecated for years. It > should be calling faillock. I'll chat with upstream maintainers. > > -Steve
Thank you Steve, much appreciated! If they are able to provide a patch, would you mind asking them to send me a link and I'll test it ASAP? LCB -- Lenny Bruzenak MagitekLTD -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
