6 thoughts on “Auditing user actions after sudo”

  1. Hi! Using this lines (tutorial) only can register LOGIN action and acid converted to root. Not logging “commands executed”

  2. Hello, I got the same Problem, I also see just the login.

    [TEST]root@tstdebsv0604:~# tail -4 /etc/pam.d/sshd
    ## Log user actions
    session required pam_script.so onerr=success dir=/etc/pam-script
    session required pam_loginuid.so

    [TEST]root@tstdebsv0604:~# tail -3 /etc/pam.d/login
    ## Log user actions
    session required pam_script.so onerr=success dir=/etc/pam-script
    session required pam_loginuid.so

    [TEST]root@tstdebsv0604:~# tail -4 /etc/pam.d/su
    ## Log user actions
    session required pam_script.so onerr=success dir=/etc/pam-script

    [TEST]root@tstdebsv0604:~# tail -1 /etc/pam.d/sudo
    session required pam_script.so onerr=success dir=/etc/pam-script

    [TEST]root@tstdebsv0604:~# ls -l /etc/pam-script/pam_script_ses_*
    -rwxr-x— 1 root root 101 Oct 30 11:51 /etc/pam-script/pam_script_ses_close
    -rwxr-x— 1 root root 101 Oct 30 11:51 /etc/pam-script/pam_script_ses_open

    [TEST]root@tstdebsv0604:~# cat /etc/pam-script/pam_script_ses_open
    AUID=$(getent passwd $USER | cut -d: -f3)
    /sbin/auditctl -a entry,always \
    -S execve \
    -F auid=$AUID

    [TEST]root@tstdebsv0604:~# cat /etc/pam-script/pam_script_ses_close
    AUID=$(getent passwd $USER | cut -d: -f3)
    /sbin/auditctl -d entry,always \
    -S execve \
    -F auid=$AUID

    [TEST]root@tstdebsv0604:~# cat /etc/audit/audit.rules
    # This file contains the auditctl rules that are loaded
    # whenever the audit daemon is started via the initscripts.
    # The rules are simply the parameters that would be passed
    # to auditctl.

    # First rule – delete all
    -D

    # Increase the buffers to survive stress events.
    # Make this bigger for busy systems
    -b 320

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>