It is company policy for admins to login to the servers via a personal username, and then run sudo -i
to become root. Upon running sudo -i
, sudo will create an environmental variable called SUDO_USER
, which contains the original user's username.
Is there a way to log ALL commands within syslog with something akin to the following syntax:
${TIME/DATE STAMP}: [${REAL_USER}|${SUDO_USER}]: ${CMD}
An example entry would be:
Sat Jan 19 22:28:46 CST 2013: [root|ksoviero]: yum install random-pkg
Obviously it doesn't have to be exactly the above syntax, it just has to include a minimum of the real user (eg. root), the sudo user (eg. ksoviero), and the full command that was run (eg. yum install random-pkg).
I've already tried snoopy
, but it did not include the SUDO_USER
variable.
Best Answer
Update: 2 more things that have popped up in the comments and in follow-up questions:
auditd
this way will dramatically increase your log volume, especially if the system is heavily in use via commandline. Adjust your log retention policy.Auditd
logs on the host where they are created are just as secure as other files on the same box. Forward your logs to a remote log collection server like ELK or Graylog to preserve your logs' integrity. Plus, adding to the point above, it allows to more aggressively delete old logs.As was suggested by Michael Hampton,
auditd
is the correct tool for the job here.I tested this on an Ubuntu 12.10 installation, so your mileage may vary on other systems.
Install
auditd
:apt-get install auditd
Add these 2 lines to
/etc/audit/audit.rules
:These will track all commands run by root (
euid=0
). Why two rules? Theexecve
syscall must be tracked in both 32 and 64 bit code.To get rid of
auid=4294967295
messages in logs, addaudit=1
to the kernel's cmdline (by editing/etc/default/grub
)Place the line
session required pam_loginuid.so
in all PAM config files that are relevant to login (
/etc/pam.d/{login,kdm,sshd}
), but not in the files that are relevant tosu
orsudo
. This will allowauditd
to get the calling user'suid
correctly when callingsudo
orsu
.Restart your system now.
Let's login and run some commands:
This will yield something like this in
/var/log/audit/auditd.log
:The
auid
column contains the calling user'suid
, which allows you filter for commands run by this user withThis will even list commands the user ran as root.
Sources: