Hi,
I received a requirement from one of my customer to audit what the
users do after sudo. To be sure that only user sessions are audited
I'm using the pam_script module to insert and remove a rule when the
users logins and logouts, respectively. I'm doing this because if you
have a persistent rule and you restart a daemon, the audit system will
report the daemon actions, even if the user logouts.
I configured the pam_script in /etc/pam.d/sudo and pam_loginuid in
/etc/pam.d/{login,ssh}.
The command line that I'm using to add/remove the rule to audit execs is:
/sbin/auditctl [-a|-d] entry,always -S execve -F auid=$AUID
Let me know if anybody has a better way to do this.
Regards,
Diego
--
Diego Woitasen
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
