Re: passwd and USER_CHAUTHTOK

Hello Philippe, Thanks for reporting this (and the other bug which is in my queue to work on). On Wednesday, August 30, 2017 3:56:10 AM EDT Maupertuis Philippe wrote: > Hi > On a new redhat 7.4, passwd -S to check the status of a user generates the > following event : node=xxxxx type=USER_CHAUTHTOK msg=audit(28/08/17 > 16:34:18.632:54145) : pid=31134 uid=root auid=xxxxx ses=3866 > msg='op=password status displayed for user id=ftp exe=/usr/bin/passwd > hostname= xxxxx addr=? terminal=pts/1 res=success' > > According to > https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account- > L > ifecycle-Events USER_CHAUTHTOK means that the user has successfully > changed his password. In that case no change were done, only a query as it > appears in the msg field > > The text format is even more disturbing : > On xxxxx at 16:34:18 28/08/17 xxxxx, acting as root, successfully > changed-password using /usr/bin/passwd The real action and the target user > (ftp) is entirely lost in the text format. > > I would say that this message should not have been generated in the first > place. I would agree. I'll make a patch to remove it.

I looked around the auditing in passwd and it looks like it has not been updated as everything else has been to eliminate dangling text. So, it's wholly unsuited as is for text format output. I'll make a second patch to update the auditing to modern standards. Its probably not been touched in a decade.