Home / server / Questions / 473601
Accepted
Soviero
Asked: 2013-01-30 11:15:29 +0800 CST

Getting auditd to record the original user

  • 772

This question is related to my previous question: Log all commands run by admins on production servers

It is company policy for admins to login to the servers via a personal username, and then run sudo -i to become root. Upon running sudo -i, sudo will create an environmental variable called SUDO_USER, which contains the original user's username.

Is it possible to have auditd include this variable in it's logs for each command? Or a functional equivalent.

This is the current rule set for auditd:

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Log any command run on this system
#-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
centos

2 Answers

  1. Best Answer

    As stated here:

    Using

    session required pam_loginuid.so

    in all login related PAM config files (not the ones for su and sudo) will let auditd log the calling user's uid in the field auid.

    You can search auditd's logs for this id with

    ausearch -ua <uid>

    yielding all commands the user issued, even while impersonating another account.

    • 4

  2. The information you're requesting is, joyfully, already included in the logs. The specific field that you want to look for is aud. From the manpage for auditctl:

         auid          The original ID the user logged in with. Its an abbreviation 
                   of audit uid. Sometimes its referred to as loginuid. Either 
                   the user account text or number may be used.

    As an example, here is a lot entry that I generated using the following methodology:

    1. Add the rule: -a always,exit -S sethostname -S setdomainname -k system-locale
    2. Login to the system with my user account and launch a root shell by issuing su -
    3. Execute the command: hostname audit-test.home.private

    type=SYSCALL msg=audit(1358306046.744:260): arch=c000003e syscall=170 success=yes exit=0 a0=2025010 a1=17 a2=7 a3=18 items=0 ppid=23922 pid=26742 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=16 comm="hostname" exe="/usr/bin/hostname" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="system-locale"

    So, while yes, the log message is quite verbose we can clearly see auid=1000 in the log message, which corresponds to the uid of my user account.

    For more details on the above example, as well as a brief description of auditd, check out this blog post from IT Security a community blogger (me) imaginatively entitled A Brief Introduction to Auditd.

    The ausearch command mentioned by fuero is part of a suite of applications used to search and run reports against these rather thorough logs.

    • 4