Because of PCI requirements we need to log all commands issued by root with uid of the "original" user - that is, we always login via ssh with personal accounts and then "su" to root. All commands issued by us after su-ing to root must be logged with our personal uid.
I have tried with:
* auditd, it doesn't log all commands & those logged are with only root's uid.

* pam_loginuid.so, added this to files sshd, su, su-l, sudo:
session required pam_loginuid.so
session include common-session
This should (quote) "Audit allows you to consistently track a user's actions from login right through logout no matter which identities this user might adopt by using audit IDs that are created upon login and handed down to any child process of the original login process."
But it doesn't keep users uid.

* and by adding this to /root/.bashrc:
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'
This sends all commands to /var/log/messages, but only with root's uid.

So so far all in vain, after "su -" everything logged is logged only with roots uid.
We could use "sudo", but that is very unpractical for several reasons (no tab-completion for "root-only" directories/files, problems piping output, bash built-in commands doesn't work..)

So does anybody have an idea how to get this logging to work?

Sounds to me that using "sudo -i" could be of use. When doing that instead of "su -" you will have environmental variables in your shell e.g. $SUDOUSER which gives you much more clarity over who the shell actually is.

1 members found this post helpful.

Audit logs the auid but we don't know your rule set ('auditctl -l') and the result (say 'ausearch -ts today -ul [LOGINUID]').


I don't do this for PCI-DSS but I use a mix of the CAPP and LSPP rule sets + sudo as entry point + rootsh which provides command and output logging.

1 members found this post helpful.

acid_kewpie: Thanks a lot, I knew about "sudo -i" but never heard about that environmental variable! (Only, at least in SLES, it's $SUDO_USER).

unSpawn:
Sorry, I should've been more informative here. The reason for not giving more info about my auditd config is that I've read a lot about it and found nothing to aid me. My conclusion was that auditd simply could not do what I wanted.

Now even though acid_kewpie's suggestion is sufficient, I still would like to dig deeper into auditd.
All my tries with it has given the same: "su -" sets auid to "0"
Now since I've messed around a lot with auditd, the last thing I did yesterday was to restore original config so unfortunately I can't really tell exactly what I was trying.
But maybe you can put me in the right direction here, as I said I have read a lot about auditd without finding anything relevant about this specific issue.

I'd say load one of the rule sets I mentioned like
or add rules to your default audit.rules like with
and post the output after Doing Stuff.