On Wednesday, October 26, 2011 12:51:02 PM Diego Woitasen wrote:
I received a requirement from one of my customer to audit what the
users do after sudo. To be sure that only user sessions are audited
I'm using the pam_script module to insert and remove a rule when the
users logins and logouts, respectively. I'm doing this because if you
have a persistent rule and you restart a daemon, the audit system will
report the daemon actions, even if the user logouts.
I configured the pam_script in /etc/pam.d/sudo and pam_loginuid in
/etc/pam.d/{login,ssh}.
The command line that I'm using to add/remove the rule to audit execs is:
/sbin/auditctl [-a|-d] entry,always -S execve -F auid=$AUID
Let me know if anybody has a better way to do this.
This looks about right given the current implementation. However, thinking about this
made me realize that we do not allow adding a session id field to an audit rule. We
should probably fix that.
Another approach might be to add tty auditing to the sudo pam stack so that you can
tell what the person is doing. What if they open python and start typing commands?
With execve, you will see python start and then nothing. Meanwhile files could be
deleted or copied or whatever.
-Steve