[RFC] Auditing user command execution

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* [RFC] Auditing user command execution
@ 2011-10-26 16:51 Diego Woitasen
  2011-10-26 17:36 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Diego Woitasen @ 2011-10-26 16:51 UTC (permalink / raw)
  To: Linux-audit

Hi,
 I received a requirement from one of my customer to audit what the
users do after sudo. To be sure that only user sessions are audited
I'm using the pam_script module to insert and remove a rule when the
users logins and logouts, respectively. I'm doing this because if you
have a persistent rule and you restart a daemon, the audit system will
report the daemon actions, even if the user logouts.

I configured the pam_script in /etc/pam.d/sudo and pam_loginuid in
/etc/pam.d/{login,ssh}.

The command line that I'm using to add/remove the rule to audit execs is:

 /sbin/auditctl [-a|-d] entry,always -S execve -F auid=$AUID

Let me know if anybody has a better way to do this.

Regards,
 Diego

-- 
Diego Woitasen

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [RFC] Auditing user command execution
  2011-10-26 16:51 [RFC] Auditing user command execution Diego Woitasen
@ 2011-10-26 17:36 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2011-10-26 17:36 UTC (permalink / raw)
  To: linux-audit

On Wednesday, October 26, 2011 12:51:02 PM Diego Woitasen wrote:
>  I received a requirement from one of my customer to audit what the
> users do after sudo. To be sure that only user sessions are audited
> I'm using the pam_script module to insert and remove a rule when the
> users logins and logouts, respectively. I'm doing this because if you
> have a persistent rule and you restart a daemon, the audit system will
> report the daemon actions, even if the user logouts.
> 
> I configured the pam_script in /etc/pam.d/sudo and pam_loginuid in
> /etc/pam.d/{login,ssh}.
> 
> The command line that I'm using to add/remove the rule to audit execs is:
> 
>  /sbin/auditctl [-a|-d] entry,always -S execve -F auid=$AUID
> 
> Let me know if anybody has a better way to do this.

This looks about right given the current implementation. However, thinking about this 
made me realize that we do not allow adding a session id field to an audit rule. We 
should probably fix that.

Another approach might be to add tty auditing to the sudo pam stack so that you can 
tell what the person is doing. What if they open python and start typing commands? 
With execve, you will see python start and then nothing. Meanwhile files could be 
deleted or copied or whatever.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-10-26 17:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-26 16:51 [RFC] Auditing user command execution Diego Woitasen
2011-10-26 17:36 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox