* The format of password change audit events seems to have changed, Can you confirm the correct record type ?
@ 2021-07-08 18:19 Wieprecht, Karen M.
2021-07-08 19:23 ` Steve Grubb
0 siblings, 1 reply; 8+ messages in thread
From: Wieprecht, Karen M. @ 2021-07-08 18:19 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1448 bytes --]
I've noticed that the messages I'm searching for in splunk to show root password changes no longer seem to be in the same format. Most of our systems run RHEL7 release 7.9, and I believe this is a recent change (I've only noticed this problem in the past 3 months or so?), but we do have an older 7.5 system, so I was able to use that to compare against the 7.5 to identify what's changed. I wanted to confirm which record I should be using now since there are several that get generated now
The key differences seem to be in the message generated and the keyname being used for the account being targeted, but I wanted to confirm that there isn't some other record I should be looking at to verify that the root password was changed in the required timeframe since I see several records being generated from a password change, none of which include anything as conclusive as the old message that showed the operation as a "password change". Here are some fo the fields I'm looking at:
type=USER_CHAUTHOK
exe=/usr/bin/passwd
[acct targeted for the passwd change]:
id=root (old format)
acct=root (latest format)
msg
msg='op=change password (old format)
msg='op=PAM:chauthok (latest format)
If you can confirm whether this is the info I should be using now to confirm password changes, that would be much appreciated.
Thanks so much,
Karen Wieprecht
[-- Attachment #1.2: Type: text/html, Size: 4435 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
2021-07-08 18:19 The format of password change audit events seems to have changed, Can you confirm the correct record type ? Wieprecht, Karen M.
@ 2021-07-08 19:23 ` Steve Grubb
2021-07-08 22:53 ` warron.french
0 siblings, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2021-07-08 19:23 UTC (permalink / raw)
To: Linux-audit, linux-audit
On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote:
> I've noticed that the messages I'm searching for in splunk to show root
> password changes no longer seem to be in the same format. Most of our
> systems run RHEL7 release 7.9, and I believe this is a recent change
> (I've only noticed this problem in the past 3 months or so?), but we do
> have an older 7.5 system, so I was able to use that to compare against
> the 7.5 to identify what's changed. I wanted to confirm which record I
> should be using now since there are several that get generated now
>
> The key differences seem to be in the message generated and the keyname
> being used for the account being targeted, but I wanted to confirm that
> there isn't some other record I should be looking at to verify that the
> root password was changed in the required timeframe since I see several
> records being generated from a password change, none of which include
> anything as conclusive as the old message that showed the operation as a
> "password change". Here are some fo the fields I'm looking at:
>
> type=USER_CHAUTHOK
> exe=/usr/bin/passwd
> [acct targeted for the passwd change]:
> id=root (old format)
> acct=root (latest format)
> msg
> msg='op=change password (old format)
> msg='op=PAM:chauthok (latest format)
>
> If you can confirm whether this is the info I should be using now to
> confirm password changes, that would be much appreciated.
I don't have a RHEL 7.9 machine to compare against. I can set one up in about
a week. On 7.6 the event looks like this:
type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0 auid=1000
ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=change
password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=? terminal=pts/0
res=success'
The problem is that "op= change passwd" has a space in it and will not parse
right. I have been trying to correct instances of this so that things parse
correctly. Not everyone runs their changes by me for comment. So, its
possible that the change was made to fix the space, but usually I suggest
people add an underscore.
I'll into it more next week.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
2021-07-08 19:23 ` Steve Grubb
@ 2021-07-08 22:53 ` warron.french
2021-07-09 0:46 ` Richard Guy Briggs
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: warron.french @ 2021-07-08 22:53 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2775 bytes --]
This is an interesting topic.
Please, can you tell me what audit rule you are using that generates such
records about root's (*or any other account's) password change?*
Sincerely, thank you.
--------------------------
Warron French
On Thu, Jul 8, 2021 at 3:27 PM Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote:
> > I've noticed that the messages I'm searching for in splunk to show root
> > password changes no longer seem to be in the same format. Most of our
> > systems run RHEL7 release 7.9, and I believe this is a recent change
> > (I've only noticed this problem in the past 3 months or so?), but we do
> > have an older 7.5 system, so I was able to use that to compare against
> > the 7.5 to identify what's changed. I wanted to confirm which record
> I
> > should be using now since there are several that get generated now
> >
> > The key differences seem to be in the message generated and the keyname
> > being used for the account being targeted, but I wanted to confirm that
> > there isn't some other record I should be looking at to verify that the
> > root password was changed in the required timeframe since I see several
> > records being generated from a password change, none of which include
> > anything as conclusive as the old message that showed the operation as a
> > "password change". Here are some fo the fields I'm looking at:
> >
> > type=USER_CHAUTHOK
> > exe=/usr/bin/passwd
> > [acct targeted for the passwd change]:
> > id=root (old format)
> > acct=root (latest format)
> > msg
> > msg='op=change password (old format)
> > msg='op=PAM:chauthok (latest format)
> >
> > If you can confirm whether this is the info I should be using now to
> > confirm password changes, that would be much appreciated.
>
> I don't have a RHEL 7.9 machine to compare against. I can set one up in
> about
> a week. On 7.6 the event looks like this:
>
> type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0
> auid=1000
> ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
> msg='op=change
> password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=?
> terminal=pts/0
> res=success'
>
> The problem is that "op= change passwd" has a space in it and will not
> parse
> right. I have been trying to correct instances of this so that things
> parse
> correctly. Not everyone runs their changes by me for comment. So, its
> possible that the change was made to fix the space, but usually I suggest
> people add an underscore.
>
> I'll into it more next week.
>
> -Steve
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
>
>
[-- Attachment #1.2: Type: text/html, Size: 3903 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
2021-07-08 22:53 ` warron.french
@ 2021-07-09 0:46 ` Richard Guy Briggs
2021-07-09 12:06 ` warron.french
2021-07-09 13:18 ` [EXT] " Wieprecht, Karen M.
2021-07-09 14:22 ` Wieprecht, Karen M.
2021-07-10 14:57 ` Steve Grubb
2 siblings, 2 replies; 8+ messages in thread
From: Richard Guy Briggs @ 2021-07-09 0:46 UTC (permalink / raw)
To: warron.french; +Cc: Linux-audit
On 2021-07-08 18:53, warron.french wrote:
> This is an interesting topic.
>
> Please, can you tell me what audit rule you are using that generates such
> records about root's (*or any other account's) password change?*
This is a built-in to the userspace password management tools and not a
kernel-triggered rule.
You could duplicate the effort by monitoring /etc/shadow for writes if
you are really paranoid about those tools being subverted.
> Sincerely, thank you.
> --------------------------
> Warron French
>
> On Thu, Jul 8, 2021 at 3:27 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote:
> > > I've noticed that the messages I'm searching for in splunk to show root
> > > password changes no longer seem to be in the same format. Most of our
> > > systems run RHEL7 release 7.9, and I believe this is a recent change
> > > (I've only noticed this problem in the past 3 months or so?), but we do
> > > have an older 7.5 system, so I was able to use that to compare against
> > > the 7.5 to identify what's changed. I wanted to confirm which record
> > I
> > > should be using now since there are several that get generated now
> > >
> > > The key differences seem to be in the message generated and the keyname
> > > being used for the account being targeted, but I wanted to confirm that
> > > there isn't some other record I should be looking at to verify that the
> > > root password was changed in the required timeframe since I see several
> > > records being generated from a password change, none of which include
> > > anything as conclusive as the old message that showed the operation as a
> > > "password change". Here are some fo the fields I'm looking at:
> > >
> > > type=USER_CHAUTHOK
> > > exe=/usr/bin/passwd
> > > [acct targeted for the passwd change]:
> > > id=root (old format)
> > > acct=root (latest format)
> > > msg
> > > msg='op=change password (old format)
> > > msg='op=PAM:chauthok (latest format)
> > >
> > > If you can confirm whether this is the info I should be using now to
> > > confirm password changes, that would be much appreciated.
> >
> > I don't have a RHEL 7.9 machine to compare against. I can set one up in
> > about
> > a week. On 7.6 the event looks like this:
> >
> > type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0
> > auid=1000
> > ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
> > msg='op=change
> > password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=?
> > terminal=pts/0
> > res=success'
> >
> > The problem is that "op= change passwd" has a space in it and will not
> > parse
> > right. I have been trying to correct instances of this so that things
> > parse
> > correctly. Not everyone runs their changes by me for comment. So, its
> > possible that the change was made to fix the space, but usually I suggest
> > people add an underscore.
> >
> > I'll into it more next week.
> >
> > -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
2021-07-09 0:46 ` Richard Guy Briggs
@ 2021-07-09 12:06 ` warron.french
2021-07-09 13:18 ` [EXT] " Wieprecht, Karen M.
1 sibling, 0 replies; 8+ messages in thread
From: warron.french @ 2021-07-09 12:06 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 3555 bytes --]
Got it, thanks!
--------------------------
Warron French
On Thu, Jul 8, 2021 at 8:46 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2021-07-08 18:53, warron.french wrote:
> > This is an interesting topic.
> >
> > Please, can you tell me what audit rule you are using that generates such
> > records about root's (*or any other account's) password change?*
>
> This is a built-in to the userspace password management tools and not a
> kernel-triggered rule.
>
> You could duplicate the effort by monitoring /etc/shadow for writes if
> you are really paranoid about those tools being subverted.
>
> > Sincerely, thank you.
> > --------------------------
> > Warron French
> >
> > On Thu, Jul 8, 2021 at 3:27 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote:
> > > > I've noticed that the messages I'm searching for in splunk to show
> root
> > > > password changes no longer seem to be in the same format. Most of
> our
> > > > systems run RHEL7 release 7.9, and I believe this is a recent change
> > > > (I've only noticed this problem in the past 3 months or so?), but we
> do
> > > > have an older 7.5 system, so I was able to use that to compare
> against
> > > > the 7.5 to identify what's changed. I wanted to confirm which
> record
> > > I
> > > > should be using now since there are several that get generated now
> > > >
> > > > The key differences seem to be in the message generated and the
> keyname
> > > > being used for the account being targeted, but I wanted to confirm
> that
> > > > there isn't some other record I should be looking at to verify that
> the
> > > > root password was changed in the required timeframe since I see
> several
> > > > records being generated from a password change, none of which include
> > > > anything as conclusive as the old message that showed the operation
> as a
> > > > "password change". Here are some fo the fields I'm looking at:
> > > >
> > > > type=USER_CHAUTHOK
> > > > exe=/usr/bin/passwd
> > > > [acct targeted for the passwd change]:
> > > > id=root (old format)
> > > > acct=root (latest format)
> > > > msg
> > > > msg='op=change password (old format)
> > > > msg='op=PAM:chauthok (latest format)
> > > >
> > > > If you can confirm whether this is the info I should be using now to
> > > > confirm password changes, that would be much appreciated.
> > >
> > > I don't have a RHEL 7.9 machine to compare against. I can set one up in
> > > about
> > > a week. On 7.6 the event looks like this:
> > >
> > > type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0
> > > auid=1000
> > > ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
> > > msg='op=change
> > > password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=?
> > > terminal=pts/0
> > > res=success'
> > >
> > > The problem is that "op= change passwd" has a space in it and will not
> > > parse
> > > right. I have been trying to correct instances of this so that things
> > > parse
> > > correctly. Not everyone runs their changes by me for comment. So, its
> > > possible that the change was made to fix the space, but usually I
> suggest
> > > people add an underscore.
> > >
> > > I'll into it more next week.
> > >
> > > -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
[-- Attachment #1.2: Type: text/html, Size: 4977 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [EXT] Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
2021-07-09 0:46 ` Richard Guy Briggs
2021-07-09 12:06 ` warron.french
@ 2021-07-09 13:18 ` Wieprecht, Karen M.
1 sibling, 0 replies; 8+ messages in thread
From: Wieprecht, Karen M. @ 2021-07-09 13:18 UTC (permalink / raw)
To: Richard Guy Briggs, warron.french; +Cc: Linux-audit
We do monitor the file itself, but we would also like to verify that the root password is being changed within the required timeframe. Monitoring the shadow file for changes is a start, but that file could be changed for other unrelated reasons, so we also want to confirm which specific audit record(s) are now being generated when a local account password is changed.
I see several pam-related messages that were generated the last time the root password was changed on a RHEL 7.9 system, but it's not clear if those event types could get generated for other reasons as well. The only clue that those audit events probably represent a password change attempt is that the exe=/usr/bin/passwd
Thanks again,
Karen Wieprecht
-----Original Message-----
From: linux-audit-bounces@redhat.com <linux-audit-bounces@redhat.com> On Behalf Of Richard Guy Briggs
Sent: Thursday, July 8, 2021 8:47 PM
To: warron.french <warron.french@gmail.com>
Cc: Linux-audit@redhat.com
Subject: [EXT] Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
APL external email warning: Verify sender linux-audit-bounces@redhat.com before clicking links or attachments
On 2021-07-08 18:53, warron.french wrote:
> This is an interesting topic.
>
> Please, can you tell me what audit rule you are using that generates
> such records about root's (*or any other account's) password change?*
This is a built-in to the userspace password management tools and not a kernel-triggered rule.
You could duplicate the effort by monitoring /etc/shadow for writes if you are really paranoid about those tools being subverted.
> Sincerely, thank you.
> --------------------------
> Warron French
>
> On Thu, Jul 8, 2021 at 3:27 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote:
> > > I've noticed that the messages I'm searching for in splunk to
> > > show root password changes no longer seem to be in the same
> > > format. Most of our systems run RHEL7 release 7.9, and I believe
> > > this is a recent change (I've only noticed this problem in the
> > > past 3 months or so?), but we do have an older 7.5 system, so I was able to use that to compare against
> > > the 7.5 to identify what's changed. I wanted to confirm which record
> > I
> > > should be using now since there are several that get generated now
> > >
> > > The key differences seem to be in the message generated and the
> > > keyname being used for the account being targeted, but I wanted
> > > to confirm that there isn't some other record I should be looking
> > > at to verify that the root password was changed in the required
> > > timeframe since I see several records being generated from a
> > > password change, none of which include anything as conclusive as the old message that showed the operation as a
> > > "password change". Here are some fo the fields I'm looking at:
> > >
> > > type=USER_CHAUTHOK
> > > exe=/usr/bin/passwd
> > > [acct targeted for the passwd change]:
> > > id=root (old format)
> > > acct=root (latest format)
> > > msg
> > > msg='op=change password (old format)
> > > msg='op=PAM:chauthok (latest format)
> > >
> > > If you can confirm whether this is the info I should be using now
> > > to confirm password changes, that would be much appreciated.
> >
> > I don't have a RHEL 7.9 machine to compare against. I can set one up
> > in about a week. On 7.6 the event looks like this:
> >
> > type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0
> > auid=1000
> > ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
> > msg='op=change
> > password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=?
> > terminal=pts/0
> > res=success'
> >
> > The problem is that "op= change passwd" has a space in it and will
> > not parse right. I have been trying to correct instances of this so
> > that things parse correctly. Not everyone runs their changes by me
> > for comment. So, its possible that the change was made to fix the
> > space, but usually I suggest people add an underscore.
> >
> > I'll into it more next week.
> >
> > -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [EXT] Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
2021-07-08 22:53 ` warron.french
2021-07-09 0:46 ` Richard Guy Briggs
@ 2021-07-09 14:22 ` Wieprecht, Karen M.
2021-07-10 14:57 ` Steve Grubb
2 siblings, 0 replies; 8+ messages in thread
From: Wieprecht, Karen M. @ 2021-07-09 14:22 UTC (permalink / raw)
To: warron.french, Steve Grubb; +Cc: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2262 bytes --]
Warren, I missed this part of your message.
>> This is an interesting topic.
>> Please, can you tell me what audit rule you are using that generates such records about root's (or any other account's) password change?
I double checked the rules on a different RHEL 7.9 system , and it looks like we are only picking up password change attempts for accts in the user space, but not root, so if the password was changed directly from a root login rather than via sudo from another acct, we probably won’t see some of the related audit records.
This is the rule I believe is picking up password change events:
–a always,exit –F path=/usr/bin/passwd –F per=x –F auid>=1000 auid!=4294967295 –k privileged passwd
There are also a specific watches on /etc/shadow and gshadow:
-w /etc/shadow –p wa –k identity
I just attempted , from a non-priv acct, to change the root passwd, and I see the following relevant audit records key-value pairs :
This shows I successfully ran the passwd command and that the root acct was targeted ,
type=PROCTITLE ... proctitle=passwd root ...
type=PATH name=/usr/bin/passwd
type=SYSCALL ... comm=passwd exe=/usr/bin/passwd success=yes key=setuid
This shows that a password change was attempted and failed, but doesn’t seem to correctly indicate that the root acct was targeted (id=myusername, not root):
Type=USER_CHAUTHOK auid=myusername msg=’op=attempted-to-change-password id=myusername exe=/usr/bin/passwd res=failed
So... based on this, unless the patch versions are a bit different between the two RHEL7.9 systems I’ve been looking at, it looks like you are actually generating a reasonable message when a password change is attempted, but we probably need to make sure we are picking up all password changes, not just those in the user space.
I unfortunately don’t have permission to change the audit rules, but will see if I can the SA to test this for me. If you are able to test in your environment and can confirm my findings, that would be wonderful, but I think we probably found our smoking gun, LOL.
Thanks so much,
Karen Wiepecht
[-- Attachment #1.2: Type: text/html, Size: 8984 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
2021-07-08 22:53 ` warron.french
2021-07-09 0:46 ` Richard Guy Briggs
2021-07-09 14:22 ` Wieprecht, Karen M.
@ 2021-07-10 14:57 ` Steve Grubb
2 siblings, 0 replies; 8+ messages in thread
From: Steve Grubb @ 2021-07-10 14:57 UTC (permalink / raw)
To: warron.french; +Cc: Linux-audit
On Thursday, July 8, 2021 6:53:12 PM EDT warron.french wrote:
> Please, can you tell me what audit rule you are using that generates such
> records about root's (*or any other account's) password change?*
In this case its hardwired into pam.
-Stev
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-07-10 14:59 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-08 18:19 The format of password change audit events seems to have changed, Can you confirm the correct record type ? Wieprecht, Karen M.
2021-07-08 19:23 ` Steve Grubb
2021-07-08 22:53 ` warron.french
2021-07-09 0:46 ` Richard Guy Briggs
2021-07-09 12:06 ` warron.french
2021-07-09 13:18 ` [EXT] " Wieprecht, Karen M.
2021-07-09 14:22 ` Wieprecht, Karen M.
2021-07-10 14:57 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).