From 5ee66f6a14f310ae2084fd9a36826086586a77e765e7ac0f2d6045d441423860 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Fri, 16 Dec 2022 10:10:32 +0000 Subject: [PATCH] - bsc#1205502: Fix useradd audit event logging of ID field * Add shadow-audit-no-id.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=135 --- shadow-audit-no-id.patch | 36 ++++++++++++++++++++++++++++++++++++ shadow.changes | 6 ++++++ shadow.spec | 3 +++ 3 files changed, 45 insertions(+) create mode 100644 shadow-audit-no-id.patch diff --git a/shadow-audit-no-id.patch b/shadow-audit-no-id.patch new file mode 100644 index 0000000..e79fcda --- /dev/null +++ b/shadow-audit-no-id.patch @@ -0,0 +1,36 @@ +From 3cfc7955b33c85472a7cf11a0ecf1c6851db7c26 Mon Sep 17 00:00:00 2001 +From: Michael Vetter +Date: Thu, 15 Dec 2022 11:52:58 +0100 +Subject: [PATCH] Fix useradd audit event logging of ID field + +When useradd sends its ADD_USER event, it is filling in the id field. This is not yet written to disk. When auditd sees the event and the log format is enriched, auditd tries to lookup the user name but it does not exist. This causes the event to never be resolvable since ausearch relies on the lookup information attached by auditd. + +The fix is to not send the id information for any event until after close_files() is called. Just the acct field is all that is + +Patch by Steve Grubb (afaik). + +Reported at https://bugzilla.redhat.com/show_bug.cgi?id=1713432 +--- + src/useradd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/useradd.c b/src/useradd.c +index e59e47681..87abd6e33 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -2225,9 +2225,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count) + #endif /* ENABLE_SUBIDS */ + + #ifdef WITH_AUDIT ++ /* ++ * Even though we have the ID of the user, we won't send it now ++ * because its not written to disk yet. After close_files it is ++ * and we can use the real ID thereafter. ++ */ + audit_logger (AUDIT_ADD_USER, Prog, + "adding user", +- user_name, (unsigned int) user_id, ++ user_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif + /* diff --git a/shadow.changes b/shadow.changes index d08cb82..f4508f4 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Dec 16 10:04:44 UTC 2022 - Michael Vetter + +- bsc#1205502: Fix useradd audit event logging of ID field + * Add shadow-audit-no-id.patch + ------------------------------------------------------------------- Tue Nov 8 21:15:44 UTC 2022 - Michael Vetter diff --git a/shadow.spec b/shadow.spec index ccd8d33..59e16e6 100644 --- a/shadow.spec +++ b/shadow.spec @@ -57,6 +57,8 @@ Patch6: shadow-login_defs-suse.patch Patch7: useradd-userkeleton.patch # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions. Patch8: disable_new_audit_function.patch +# PATCH-FIX-UPSTREAM shadow-audit-no-id.patch mvetter@suse.com -- Fix useradd audit event logging of ID field (bsc#1205502) (gh/shadow-maint/shadow#606) +Patch9: shadow-audit-no-id.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake @@ -126,6 +128,7 @@ Development files for libsubid4. %if 0%{?suse_version} < 1330 %patch8 -p1 %endif +%patch9 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO