From: Herbert Bärschneider <herbert.baerschneider@protonmail.com>
Subject: updating adduser logging
To: "tech@openbsd.org" <tech@openbsd.org>
Date: Tue, 22 Oct 2024 17:11:04 +0000

Hi OpenBSD developers,

I address this mailing list directly, because my request on

the "misc"mailing list did not get any responses.
https://marc.info/?l=openbsd-misc&m=172452692026486&w=2

While investigating OpenBSD in the light of digital forensics, I
stumbled over following aspect:
The program "useradd" logs to syslog (facility LOG_USER, severity
LOG_INFO) while the program "adduser" logs to its own special log
file.
Furthermore, "adduser" uses a custom log format, different from the
format used by syslog.

I didn't find a reason for this difference and am curious to hear, if
anyone else knows.

If nothing speaks for splitting the logs, I propose to change
"adduser" to also log to syslog, making the entries exportable
through syslogs features and more accessible to tooling building on
syslog log files.

While I'm a novice with Perl, I made following changes (see end of
mail) and successfully tested them on OpenBSD 7.5. Next to changing
logging in "adduser" to syslog, I also added a log message to
"rmuser" for when user accounts are removed.

PS: I couldn't figure out how to make these patches with CVS, so
plain diff it is

Kind Regards

Herbert

diff adduser.perl.bak adduser.perl
32a33
> use Sys::Syslog;
52a54,55
> openlog("adduser", "nofatal,pid", "LOG_USER"); # setup syslog connection
>
84d86
<     $logfile = "/var/log/adduser"; # logfile
814c816
<           &adduser_log("$name:*:$u_id:$g_id($group_login):$fullname");
---
> syslog("LOG_INFO", "new user added: name=$name ($fullname), uid=$u_id, gid=$g_id, \
> group_login=$group_login, home=$home/$name, sh=$sh");
861c863
<     &adduser_log("$name:*:$u_id:$g_id($group_login):$fullname");
---
> syslog("LOG_INFO", "new user added: name=$name ($fullname), uid=$u_id, gid=$g_id, \
> group_login=$group_login, home=$home/$name, sh=$sh");
1095,1113d1096
< # log for new user in /var/log/adduser
< sub adduser_log {
<     local($string) = @_;
<     local($e);
<
<     return 1 if $logfile eq "no";
<
<     local($sec, $min, $hour, $mday, $mon, $year) = localtime;
<     $year += 1900;
<     $mon++;
<
<     foreach $e ('sec', 'min', 'hour', 'mday', 'mon') {
<       # '7' -> '07'
<       eval "\$$e = 0 . \$$e" if (eval "\$$e" < 10);
<     }
<
<     &append_file($logfile, "$year/$mon/$mday $hour:$min:$sec $string");
< }
<
1592,1594d1574
< # logfile ("/var/log/adduser" or "no")
< logfile = "$logfile"
<
1653a1634
> closelog();

diff rmuser.perl.bak rmuser.perl
38a39
> use Sys::Syslog;
99a101
> openlog("rmuser", "nofatal,pid", "LOG_USER"); # setup syslog connection
189a192
> syslog("LOG_INFO", "user removed: name=$login_name");
217a221
> closelog();

diff adduser.8.bak adduser.8
355,357d354
< .It Pa /var/log/adduser
< log file for
< .Nm