Find the answer to your Linux question:
Results 1 to 9 of 9
Hello, I would like to configure auditd to only log events issued by some users acting as root after a 'sudo su -' Unfortunately, after the user system makes a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2010
    Posts
    9

    Linux Auditd / filtering by user & sudo su -


    Hello,

    I would like to configure auditd to only log events issued by some users acting as root after a 'sudo su -'

    Unfortunately, after the user system makes a "sudo su -" the ids of user are the same as root.

    Heres is the log of the command date issued by the user "system" uid 500


    May 27 10:20:36 doma audispd: node=doma type=SYSCALL msg=audit(1274948436.000:57884): arch=c000003e syscall=59 success=yes exit=0 a0=6cf250 a1=6cf730 a2=6cf510 a3=0 items=2 ppid=26772 pid=27006 auid=4294967295 uid=1000 gid=19 euid=1000 suid=1000 fsuid=1000 egid=19 sgid=19 fsgid=19 tty=tty1 comm="date" exe="/bin/date" key=(null)
    May 27 10:20:36 doma audispd: node=doma type=EXECVE msg=audit(1274948436.000:57884): a0="date"
    May 27 10:20:36 doma audispd: node=doma type=PATH msg=audit(1274948436.000:57884): item=0 name="/bin/date" inode=48341 dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00


    Here's the same report of the date command after the user "system" changed its id using sudo su - :

    May 27 10:22:13 doma audispd: node=doma type=SYSCALL msg=audit(1274948533.407:58095): arch=c000003e syscall=59 success=yes exit=0 a0=6d4b20 a1=6d4ff0 a2=6d4de0 a3=0 items=2 ppid=27175 pid=27181 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="date" exe="/bin/date" key=(null)
    May 27 10:22:13 doma audispd: node=doma type=EXECVE msg=audit(1274948533.407:58095): a0="date"
    May 27 10:22:13 doma audispd: node=doma type=PATH msg=audit(1274948533.407:58095): item=0 name="/bin/date" inode=48341 dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00

    Any idea for me to idendify the primary login user for one specific command ?

    At first I've though it was auid but its value is always set at 4294967295

    I've also searched for logging commands specifics to a TTY but it seems auditd cannot filter on one specific TTY.

    Regards

    FP.

  2. #2
    Linux Newbie
    Join Date
    Apr 2007
    Posts
    119
    Which version of auditd are you using?

  3. #3
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    audit-2.0.4

  4. #4
    Linux Newbie
    Join Date
    Apr 2007
    Posts
    119
    My guess is that something broke from the previous release to the current one. I had a similar issue with an older version not performing as advertised and found it was a known issue to be fixed/patched.

    You might want to submit a bug report for your distro, you would probably get more targeted help.

  5. #5
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    Except auid, any idea to filter only some of the specifiied ttys ?

  6. #6
    Linux Newbie
    Join Date
    Apr 2007
    Posts
    119
    You could audit for specific events instead of who does them or log all and search based on the tty. AFAIR, there was no option to limit by the tty.

  7. #7
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    thank you for your comment. That was also my conclusion. The problem is I want only log actions taken by interactive users. I don't want to log every automatic actions taken under the root user...

  8. #8
    Linux Newbie
    Join Date
    Apr 2007
    Posts
    119
    The other option might be to drop back to a previous version of audit to verify it is in fact a bug.

  9. #9
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    I've been told that I should set-up pam_loginuid to log uid in the process "context" and then permit to set auid.

    About tty, it should be pam_ttyaudit to use.

    I'm looking for the configuration of that two components.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •