From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lenny Bruzenak Subject: useradd question Date: Thu, 16 May 2019 18:00:38 -0500 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.31]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 73BC0605D0 for ; Thu, 16 May 2019 23:00:55 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 16A6EC062ECD for ; Thu, 16 May 2019 23:00:47 +0000 (UTC) Received: by mail-pg1-f182.google.com with SMTP id z3so2273501pgp.8 for ; Thu, 16 May 2019 16:00:47 -0700 (PDT) Received: from [192.168.1.22] (47-220-175-246.pfvlcmta01.res.dyn.suddenlink.net. [47.220.175.246]) by smtp.gmail.com with ESMTPSA id 194sm13027303pfb.125.2019.05.16.16.00.40 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 May 2019 16:00:40 -0700 (PDT) Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Linux-audit@redhat.com" List-Id: linux-audit@redhat.com If I add a new user with the "useradd" utility, it submits a ADD_USER event, but the event itself has no interpretation for the new UID. IOW, the "id" field is numeric and the translated data at the end of the raw record has "ID=unknown(number)". I'm guessing it is because until the user data has been successfully entered, there is no translation. Perhaps the event submission should wait until that happens? I may be able to dig out the name from other related generated events, but that is kind of a pain. audit-2.8.5, RHEL 7.6 Thx, LCB -- Lenny Bruzenak MagitekLTD