User: Password:
Subscribe / Log in / New account

Fedora and CAPP

Fedora and CAPP

Posted Dec 12, 2008 20:34 UTC (Fri) by kweidner (subscriber, #6483)
Parent article: Fedora and CAPP

There's a logical reason for both auditing low-level access to /etc/shadow and having high-level audit entries generated by the tools. The tools such as usermod generate descriptive audit messages, such as saying that admin X changed the primary group of user Y on date Z. You don't get that from auditing access to the /etc/shadow file unless you were to fully log all read/write operations, and even then the output would be very inconvenient. Since /etc/shadow doesn't get written to (the update happens by writing to a temporary file and atomically moving that to the destination), there wouldn't even be an easy way to restrict the detailed low-level logging to just the security critical file.

What the low-level access audit does get you is that it shows when someone bypasses the official interface. If you see an audit message saying that admin X updated the /etc/shadow file but there was no corresponding high-level message about the change, you know that this admin wasn't following the rules, and that the system may be in an unknown state after this point.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds