On Friday, July 14, 2017 4:52:36 PM EDT warron.french wrote:
> Same as AUDIT(B) only for roles and groups?

Also hardwired. See the user account specification.

-Steve

> Simply put a watch rule on /etc/group and /etc/gshadow?
>
> Is that really enough?  Do I also monitor the executables for /bin/passwd,
> /sbin/{groupadd, groupdel, groupmod, usermod}?
>
> Usermod, because technically, you can affect memberships of a user with
> this command and also useradd?
>
>
> Is *that *suitable?

>
> Is there an appropriate syscall for AUDIT(C)?
>
>
>
> --------------------------
> Warron French