It’s a very well known issue that if you award sudo to an user and he/she executes a shell, you lost what the user does. I received a requirement in a project to find out how to have a registry of the user actions after sudo. Linux offers a way to do this, using the “Audit” system. With this piece of the kernel and its user space tools, you can log the system calls invoked (and other things too). The most important one to observe is the “execve” system call. Having a record of its invocations, you’ll know what the users are doing after “sudo some_shell”.
There are some things to note about audit:
- What is going to be audited is configured by a set of rules.
- Rules define things like what system call, what user id, etc.
- The rules are persistent if they are set in /etc/audit/audit.rules. This means, for example, that if you set audit for some user and he restarts a daemon or executes something with nohup, the system will continue sending records to the system log, even if the user log out.
- auditctl is a command line tool that can be used to load rules without using the configuration file.
- auid is the user ID of the user. This value is set in the pam stack at login and persists after sudo or su execution.
session required pam_script.so onerr=success dir=/etc/pam-script
session required pam_loginuid.so
AUID=$(getent passwd $USER | cut -d: -f3) /sbin/auditctl [-a|-d] entry,always \ -S execve \ -F auid=$AUID