From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maupertuis Philippe Subject: passwd and USER_CHAUTHTOK Date: Wed, 30 Aug 2017 09:56:10 +0200 Message-ID: <3D2AB1326AB2974190FCE3F69401F7900102F2B4B976@FRVDX103.fr01.awl.atosorigin.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0824456762946989374==" Return-path: Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com [10.5.110.27]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 85BB0871C7 for ; Wed, 30 Aug 2017 07:56:18 +0000 (UTC) Received: from smtppost.atos.net (smtppost.atos.net [193.56.114.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C9BDF7E42F for ; Wed, 30 Aug 2017 07:56:13 +0000 (UTC) Content-Language: fr-FR List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============0824456762946989374== Content-Language: fr-FR Content-Type: multipart/alternative; boundary="_000_3D2AB1326AB2974190FCE3F69401F7900102F2B4B976FRVDX103fr0_" --_000_3D2AB1326AB2974190FCE3F69401F7900102F2B4B976FRVDX103fr0_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi On a new redhat 7.4, passwd -S to check the status of a user generates the = following event : node=3Dxxxxx type=3DUSER_CHAUTHTOK msg=3Daudit(28/08/17 16:34:18.632:54145)= : pid=3D31134 uid=3Droot auid=3Dxxxxx ses=3D3866 msg=3D'op=3Dpassword stat= us displayed for user id=3Dftp exe=3D/usr/bin/passwd hostname=3D xxxxx addr= =3D? terminal=3Dpts/1 res=3Dsuccess' According to https://github.com/linux-audit/audit-documentation/wiki/SPEC-U= ser-Account-Lifecycle-Events USER_CHAUTHTOK means that the user has succe= ssfully changed his password. In that case no change were done, only a query as it appears in the msg fie= ld The text format is even more disturbing : On xxxxx at 16:34:18 28/08/17 xxxxx, acting as root, successfully changed-p= assword using /usr/bin/passwd The real action and the target user (ftp) is entirely lost in the text form= at. I would say that this message should not have been generated in the first p= lace. If I really change a user password by passwd games , I get : node=3Dxxxxx type=3DUSER_CHAUTHTOK msg=3Daudit(28/08/17 17:04:36.683:54299)= : pid=3D774 uid=3Droot auid=3Dxxxxx ses=3D3866 msg=3D'op=3Dchange password= id=3Dgames exe=3D/usr/bin/passwd hostname=3Dxxxxx addr=3D? terminal=3Dpts/= 1 res=3Dsuccess' and in the text format : On xxxxx at 17:04:36 28/08/17 xxxxx, acting as root, successfully changed-p= assword games using /usr/bin/passwd On xxxxx at 17:04:36 28/08/17 xxxxx, acting as root, successfully changed-p= assword using /usr/bin/passwd This time the first line describes accurately what happened but I find the = second one misleading since it is really the same command and not an additi= onal change. Please let me know if I missed something. Philippe !!!************************************************************************= ************* "Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage = exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret= professionnel. Si vous recevez ce message par erreur, merci d'en avertir i= mm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouv= ant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tr= e recherch?e quant au contenu de ce message. Bien que les meilleurs efforts= soient faits pour maintenir cette transmission exempte de tout virus, l'ex= p?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saura= it ?tre recherch?e pour tout dommage r?sultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely= for the addressee; it may also be privileged. If you receive this e-mail i= n error, please notify the sender immediately and destroy it. As its integr= ity cannot be secured on the Internet, the Worldline liability cannot be tr= iggered for the message content. Although the sender endeavours to maintain= a computer virus-free network, the sender does not warrant that this trans= mission is virus-free and will not be liable for any damages resulting from= any virus transmitted.!!!" --_000_3D2AB1326AB2974190FCE3F69401F7900102F2B4B976FRVDX103fr0_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi

On a new redhat 7.4, passwd = 211;S to check the status of a user generates the following event  :

node=3Dxxxxx type=3DUSER_CHAUTH= TOK msg=3Daudit(28/08/17 16:34:18.632:54145) : pid=3D31134 uid=3Droot auid= =3Dxxxxx ses=3D3866 msg=3D'op=3Dpassword status displayed for user id=3Dftp= exe=3D/usr/bin/passwd hostname=3D xxxxx addr=3D? terminal=3Dpts/1 res=3Dsuccess'

 

According to https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-L= ifecycle-Events  USER_CHAUTHTOK means that the user  has succ= essfully changed his password.

In that case no change were don= e, only a query as it appears in the msg field

 

The text format is even more di= sturbing :

On xxxxx at 16:34:18 28/08/17 x= xxxx, acting as root, successfully changed-password using /usr/bin/passwd

The real action and the target = user (ftp) is entirely lost in the text format.

 

I would say that this message s= hould not have been generated in the first place.

 

If I really change a user passw= ord  by passwd games , I get :

node=3Dxxxxx type=3DUSER_CHAUTH= TOK msg=3Daudit(28/08/17 17:04:36.683:54299) : pid=3D774 uid=3Droot auid=3D= xxxxx ses=3D3866 msg=3D'op=3Dchange password id=3Dgames exe=3D/usr/bin/pass= wd hostname=3Dxxxxx addr=3D? terminal=3Dpts/1 res=3Dsuccess'

and in the text format :

On xxxxx at 17:04:36 28/08/17 x= xxxx, acting as root, successfully changed-password games using /usr/bin/pa= sswd

On xxxxx at 17:04:36 28/08/17 x= xxxx, acting as root, successfully changed-password using /usr/bin/passwd

This time the first line descri= bes accurately what happened but I find the second one misleading since it = is really the same command and not an additional change.<= /p>

 

Please let me know if I missed = something.

Philippe

 

 

 


!!!**********************= ***************************************************************
"Ce message et les pièces jointes sont confidentiels et r&eacut= e;servés à l'usage exclusif de ses destinataires. Il peut &ea= cute;galement être protégé par le secret professionnel.= Si vous recevez ce message par erreur, merci d'en avertir immédiate= ment l'expéditeur et de le détruire. L'intégrité du message ne pouvant ê= ;tre assurée sur Internet, la responsabilité de Worldline ne = pourra être recherchée quant au contenu de ce message. Bien qu= e les meilleurs efforts soient faits pour maintenir cette transmission exem= pte de tout virus, l'expéditeur ne donne aucune garantie à cet ég= ard et sa responsabilité ne saurait être recherchée pou= r tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely= for the addressee; it may also be privileged. If you receive this e-mail i= n error, please notify the sender immediately and destroy it. As its integr= ity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Altho= ugh the sender endeavours to maintain a computer virus-free network, the se= nder does not warrant that this transmission is virus-free and will not be = liable for any damages resulting from any virus transmitted.!!!"
 --_000_3D2AB1326AB2974190FCE3F69401F7900102F2B4B976FRVDX103fr0_-- --===============0824456762946989374== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0824456762946989374==--