[RFC] Auditing user command execution
Diego Woitasen
diego at woitasen.com.ar
Wed Oct 26 16:51:02 UTC 2011
Hi,
I received a requirement from one of my customer to audit what the
users do after sudo. To be sure that only user sessions are audited
I'm using the pam_script module to insert and remove a rule when the
users logins and logouts, respectively. I'm doing this because if you
have a persistent rule and you restart a daemon, the audit system will
report the daemon actions, even if the user logouts.
I configured the pam_script in /etc/pam.d/sudo and pam_loginuid in
/etc/pam.d/{login,ssh}.
The command line that I'm using to add/remove the rule to audit execs is:
/sbin/auditctl [-a|-d] entry,always -S execve -F auid=$AUID
Let me know if anybody has a better way to do this.
Regards,
Diego
--
Diego Woitasen
More information about the Linux-audit
mailing list