Posted Dec 12, 2008 20:34 UTC (Fri) by kweidner (subscriber, #6483)
Parent article: Fedora and CAPP
There's a logical reason for both auditing low-level access to /etc/shadow and having high-level audit entries generated by the tools. The tools such as usermod generate descriptive audit messages, such as saying that admin X changed the primary group of user Y on date Z. You don't get that from auditing access to the /etc/shadow file unless you were to fully log all read/write operations, and even then the output would be very inconvenient. Since /etc/shadow doesn't get written to (the update happens by writing to a temporary file and atomically moving that to the destination), there wouldn't even be an easy way to restrict the detailed low-level logging to just the security critical file.
What the low-level access audit does get you is that it shows when someone bypasses the official interface. If you see an audit message saying that admin X updated the /etc/shadow file but there was no corresponding high-level message about the change, you know that this admin wasn't following the rules, and that the system may be in an unknown state after this point.