Linux audits in syslog, any time a user is deleted or added. However, I'm running a Solaris11 VM, and find no such entries. How can I enable auditing for useradd and userdel? Oracle's documentation on managing the auditing service, has been of no assistance. Thanks.
# grep useradd /var/log/*
grep: /var/log/anaconda: Is a directory
grep: /var/log/audit: Is a directory
grep: /var/log/chrony: Is a directory
grep: /var/log/httpd: Is a directory
grep: /var/log/mariadb: Is a directory
grep: /var/log/qemu-ga: Is a directory
grep: /var/log/rhsm: Is a directory
grep: /var/log/sa: Is a directory
/var/log/secure-20180522:May 15 17:33:41 centos7host useradd[1054]: new user: name=apache, UID=48, GID=48, home=/usr/share/httpd, shell=/sbin/nologin
/var/log/secure-20180522:May 15 17:50:10 centos7host useradd[1387]: new user: name=mysql, UID=27, GID=27, home=/var/lib/mysql, shell=/sbin/nologin
/var/log/secure-20180522:May 15 18:16:19 centos7host useradd[5588]: new group: name=nagios, GID=1002
/var/log/secure-20180522:May 15 18:16:19 centos7host useradd[5588]: new user: name=nagios, UID=1001, GID=1002, home=/home/nagios, shell=/bin/bash
You could intercept the command and insert your own script perhaps. If you have a new directory called /usr/sbin/secure and move the real executables in there, your script to replace them could be something like:-
#!/bin/ksh
# Record the activity
logger "$(who am i) running $0 $@"
echo "$(who am i) running $0 $@" >> /var/log/myauditlog
# Call the real command
/usr/bin/secure/${0##*/} $@
It's a bit quick and dirty, and of course could be bypassed, but does that help get you something? I haven't got a Solaris box at present and I recall having to fiddle around with this to get it to work, so this is not a fully tested and working solution but it might get you started on the way.
The catch to this scenario is, it needs to be a command that may be utilized on any system running vanilla Solaris 11 (include the BSM audit system). The command will be used to assess other systems which are not within my control, so, adding or creating a script on my box, wouldn't be executable on a system that I do not manage or have access to. The systems are being assessed by a third party, and they need to be able to view the results of users being added and deleted from the systems.
Can you elaborate on why you are trying to audit useradd/userdel.
You are needing to audit superuser activity? Only superuser privileges can add an account and if you can't trust the superusers then you're in serious trouble.
We have outside organizations auditing system execution. I do not manage this system, however, the application that lives on it we are responsible. The systems are managed by another group, and we are responsible for providing the commands to execute, to permit the assessors to physically see these details on the system. Hence, why the results have to be part of the vanilla Solaris 11 load, and not a custom script.
---------- Post updated at 01:15 PM ---------- Previous update was at 01:10 PM ----------
I did locate this thread, however, Solaris 11 doesn't use audit_control.