Good evening, I'm doing research for my master's degree.
I must use auditd to audit everything that happens on the operating system.
There is in my scenario, a common user (foouser) who privilege elevation with su - or su (CentOS).
For example, when restarting a service I cannot identify (foouser), since the following appears in the audit log:
ausearch:
If I check the logs in:
List the root user's AUID instead of foouser's.
I have found a workaround which is to add a rule about:
But I would like to find a way to change this behavior without adding custom rules.
Thank you very much for reading my query.
Best regards.
I must use auditd to audit everything that happens on the operating system.
There is in my scenario, a common user (foouser) who privilege elevation with su - or su (CentOS).
For example, when restarting a service I cannot identify (foouser), since the following appears in the audit log:
ausearch:
pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=servicex=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success'
If I check the logs in:
/var/log/audit/audit.log
type=SERVICE_START msg=audit(1658524032.777:215728): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='servicex="systemd" exe="/usr/lib/systemd /systemd" hostname=? addr=? terminal=? res=success'
List the root user's AUID instead of foouser's.
I have found a workaround which is to add a rule about:
vim /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=su_log
But I would like to find a way to change this behavior without adding custom rules.
Thank you very much for reading my query.
Best regards.