sysusers: emit audit events for user and group creation (#35957)

Background: Fedora/RHEL are switching to sysusers.d metadata for
creation of users and groups for system users defined by packages
(https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers).
Packages carry sysusers files. During package installation, rpm calls an
program to execute on this config. This program may either be
/usr/lib/rpm/sysusers.sh which calls useradd/groupadd, or
/usr/bin/systemd-sysusers. To match the functionality provided by
useradd/groupadd from the shadow-utils project, systemd-sysusers must
emit audit events so that it provides a drop-in replacement.

systemd-sysuers will emit audit events AUDIT_ADD_USER/AUDIT_ADD_GROUP
when adding users and groups. The operation "names" are copied from
shadow-utils, so the format of the events that is generated on success
should be identical. On failure, things are more complicated. We write
the whole file at once, once, so we first generate "success" messages
for each entry, then we try to write the files, and if things fail, we
generate failure messages to all entries that we failed to write.

diff --cc src/core/manager.c
Simple merge

diff --cc src/sysusers/sysusers.c
index d4997bb6f0d3087e8af43520ce4b4e7b7c9111d8,84eb9fc0c3b82125d36d1e2123df56076ef82dcb..8152e5c205b63b90a13925af20a1bb8d0ea66e95
--- 1/src/sysusers/sysusers.c
--- 2/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@@ -163,9 -168,51 +168,51 @@@ static void maybe_emit_login_defs_warni
          c->login_defs_need_warning = false;
  }
  
+ static void log_audit_accounts(Context *c, ItemType what) {
+ #if HAVE_AUDIT
+         assert(c);
+         assert(IN_SET(what, ADD_USER, ADD_GROUP));
+ 
+         if (arg_dry_run || c->audit_fd < 0)
+                 return;
+ 
+         Item *i;
+         int type = what == ADD_USER ? AUDIT_ADD_USER : AUDIT_ADD_GROUP;
+         const char *op = what == ADD_USER ? "adding-user" : "adding-group";
+ 
+         /* Notes:
+          *
+          * The op must not contain whitespace. The format with a dash matches what Fedora shadow-utils uses.
+          *
+          * We send id == -1, even though we know the number, in particular on success. This is because if we
+          * send the id, the generated audit message will not contain the name. The name seems more useful
+          * than the number, hence send just the name:
+          *
+          * type=ADD_USER msg=audit(01/10/2025 16:02:00.639:3854) :
+          *   pid=3846380 uid=root auid=zbyszek ses=2 msg='op=adding-user id=unknown(952) exe=systemd-sysusers ... res=success'
+          * vs.
+          * type=ADD_USER msg=audit(01/10/2025 16:03:15.457:3908) :
+          *   pid=3846607 uid=root auid=zbyszek ses=2 msg='op=adding-user acct=foo5 exe=systemd-sysusers ... res=success'
+          */
+ 
+         ORDERED_HASHMAP_FOREACH(i, what == ADD_USER ? c->todo_uids : c->todo_gids)
+                 audit_log_acct_message(
+                                 c->audit_fd,
+                                 type,
+                                 program_invocation_short_name,
+                                 op,
+                                 i->name,
+                                 /* id= */ (unsigned) -1,
+                                 /* host= */ NULL,
+                                 /* addr= */ NULL,
+                                 /* tty= */ NULL,
+                                 /* success= */ 1);
+ #endif
+ }
+ 
  static int load_user_database(Context *c) {
 +        _cleanup_free_ char *passwd_path = NULL;
          _cleanup_fclose_ FILE *f = NULL;
 -        const char *passwd_path;
          struct passwd *pw;
          int r;