Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Because of PCI requirements we need to log all commands issued by root with uid of the "original" user - that is, we always login via ssh with personal accounts and then "su" to root. All commands issued by us after su-ing to root must be logged with our personal uid.
I have tried with:
* auditd, it doesn't log all commands & those logged are with only root's uid.
* pam_loginuid.so, added this to files sshd, su, su-l, sudo: session required pam_loginuid.so
session include common-session This should (quote) "Audit allows you to consistently track a user's actions from login right through logout no matter which identities this user might adopt by using audit IDs that are created upon login and handed down to any child process of the original login process."
But it doesn't keep users uid.
* and by adding this to /root/.bashrc:
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'
This sends all commands to /var/log/messages, but only with root's uid.
So so far all in vain, after "su -" everything logged is logged only with roots uid.
We could use "sudo", but that is very unpractical for several reasons (no tab-completion for "root-only" directories/files, problems piping output, bash built-in commands doesn't work..)
So does anybody have an idea how to get this logging to work?
Sounds to me that using "sudo -i" could be of use. When doing that instead of "su -" you will have environmental variables in your shell e.g. $SUDOUSER which gives you much more clarity over who the shell actually is.
acid_kewpie: Thanks a lot, I knew about "sudo -i" but never heard about that environmental variable! (Only, at least in SLES, it's $SUDO_USER).
unSpawn:
Sorry, I should've been more informative here. The reason for not giving more info about my auditd config is that I've read a lot about it and found nothing to aid me. My conclusion was that auditd simply could not do what I wanted.
Now even though acid_kewpie's suggestion is sufficient, I still would like to dig deeper into auditd.
All my tries with it has given the same: "su -" sets auid to "0"
Now since I've messed around a lot with auditd, the last thing I did yesterday was to restore original config so unfortunately I can't really tell exactly what I was trying.
But maybe you can put me in the right direction here, as I said I have read a lot about auditd without finding anything relevant about this specific issue.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.