Daemon auditd - uid=root auid=unset ses=unset

cruceli

New Member
Joined
Jul 22, 2022
Messages
2
Reaction score
0
Credits
23
Good evening, I'm doing research for my master's degree.

I must use auditd to audit everything that happens on the operating system.

There is in my scenario, a common user (foouser) who privilege elevation with su - or su (CentOS).

For example, when restarting a service I cannot identify (foouser), since the following appears in the audit log:

ausearch:
pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=servicex=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success'

If I check the logs in:

/var/log/audit/audit.log

type=SERVICE_START msg=audit(1658524032.777:215728): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='servicex="systemd" exe="/usr/lib/systemd /systemd" hostname=? addr=? terminal=? res=success'

List the root user's AUID instead of foouser's.

I have found a workaround which is to add a rule about:

vim /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=su_log

But I would like to find a way to change this behavior without adding custom rules.

Thank you very much for reading my query.

Best regards.
 


f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,779
Reaction score
3,434
Credits
34,795
You can add rules without add them to /etc/audit/rules.d/audit.rules but they won't be persistent, so when the system reboots they will be gone.
 
OP
C

cruceli

New Member
Joined
Jul 22, 2022
Messages
2
Reaction score
0
Credits
23
Thanks for your answer.
A nonrepudiation environment can be created using sudo
As I use REDHAT I can't find how to use sudo as in DEBIAN (Distro Ubuntu).
In this way, it would guarantee that each user that enters is audited correctly and guarantee non-repudiation.
Is there about REDHAT to use a command similar to sudo avoiding elevating privileges using su - or su.?
THANK YOU.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Top