I try to implement individual accountability for my RHEL systems using selinux and the audit.log. I followed the instructions given here: Log all commands run by admins on production servers
If I understand it correctly, the pam_loginuid.so should keep the UID which was used to login and set it as the AUID in the audit.log file. Unfortunately that does not work after su. When I login to the system and call cat /proc/self/loginuid it displays my correct UID. If I invoke sudo su – and call cat /proc/self/loginuid again, it displays 0. Also the ID 0 is used in the audit.log as AUID for commands I invoke after sudo su –.
What am I doing wrong here?
Here is my pam.d/sshd file:
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_loginuid.so
session include system-auth
I enabled audit=1 in /etc/grub.conf and edited /etc/audit/audit.rules as described in the post above.
Best Answer
Make sure you do not load
pam_loginuid.so
module from any of the following/etc/pam.d/
files:su
sudo
su
andsudo
, via@include
Edit: See also this bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741546