From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: The shadow-utils package needs some updates for the eal4 certification. I will attach a patch that provides it. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. New functioanlity Additional info:
Created attachment 115781 [details] patch to add audit enhancements This patch provides the needed updates to log important events into the audit system. This is needed for IBM's eal/CAPP certification. If you could please review this patch and build at the first opportunity, that would be appreciated. IBM needs all rpms that are part of the certification this week. Thanks!
You will need to add BuildRequires: audit-libs-devel >= 0.9.8
Created attachment 116433 [details] patch to add audit enhancements IBM found some problems in the previous patch. A new one is attached that better identifies the account or group being modified. Please apply it. Thanks.
New patch was applied. /mnt/redhat/dist/4E-qu-candidate/shadow-utils/4.0.3-45.RHEL4
Created attachment 116808 [details] patch to add audit enhancements IBM found a couple more records that needed fixing. This patch corrects those problems. We need to build another candidate release. Thanks.
/mnt/redhat/dist/4E-qu-candidate/shadow-utils/4.0.3-47.RHEL4
HP's testing shows another problem. chage records changes when done from the command line, but not via the interactive session. I will correct the latest patch and attach.
Created attachment 117245 [details] patch to add audit enhancements This patch adds logging for chage when it goes into interactive mode.
/mnt/redhat/dist/4E-qu-candidate/shadow-utils/4.0.3-50.RHEL4
The CAPP requirements is to log any change to an account attribute. The necessary information is: who did it (loginuid), the acct affected, the operation being performed, and the results. The progams affected are: chage, gpasswd, groupadd, groupdel, groupmod, useradd, userdel, & usermod.
There is one change that should be made for FC4 & rawhide. The audit_help_open function should detect some other errno's in case it is running on a custome kernel. It should be: +void audit_help_open(void) +{ +#ifdef WITH_AUDIT + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these only when the kernel doesn't have + * audit compiled in. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return; + fprintf(stderr, "Cannot open audit interface - aborting.\n"); + exit(1); + } +#endif +}
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-309.html