[RFC] Auditing user command execution

[Steve Grubb]

On Wednesday, October 26, 2011 12:51:02 PM Diego Woitasen wrote:
>  I received a requirement from one of my customer to audit what the
> users do after sudo. To be sure that only user sessions are audited
> I'm using the pam_script module to insert and remove a rule when the
> users logins and logouts, respectively. I'm doing this because if you
> have a persistent rule and you restart a daemon, the audit system will
> report the daemon actions, even if the user logouts.
> 
> I configured the pam_script in /etc/pam.d/sudo and pam_loginuid in
> /etc/pam.d/{login,ssh}.
> 
> The command line that I'm using to add/remove the rule to audit execs is:
> 
>  /sbin/auditctl [-a|-d] entry,always -S execve -F auid=$AUID
> 
> Let me know if anybody has a better way to do this.

This looks about right given the current implementation. However, thinking about this 
made me realize that we do not allow adding a session id field to an audit rule. We 
should probably fix that.

Another approach might be to add tty auditing to the sudo pam stack so that you can 
tell what the person is doing. What if they open python and start typing commands? 
With execve, you will see python start and then nothing. Meanwhile files could be 
deleted or copied or whatever.

-Steve