Getting auditd to record the original user

As stated here:

Using

session required pam_loginuid.so

in all login related PAM config files (not the ones for su and sudo) will let auditd log the calling user's uid in the field auid.

You can search auditd's logs for this id with

ausearch -ua <uid>

yielding all commands the user issued, even while impersonating another account.


The information you're requesting is, joyfully, already included in the logs. The specific field that you want to look for is aud. From the manpage for auditctl:

     auid          The original ID the user logged in with. Its an abbreviation 
                   of audit uid. Sometimes its referred to as loginuid. Either 
                   the user account text or number may be used.

As an example, here is a lot entry that I generated using the following methodology:

  1. Add the rule: -a always,exit -S sethostname -S setdomainname -k system-locale
  2. Login to the system with my user account and launch a root shell by issuing su -
  3. Execute the command: hostname audit-test.home.private

type=SYSCALL msg=audit(1358306046.744:260): arch=c000003e syscall=170 success=yes exit=0 a0=2025010 a1=17 a2=7 a3=18 items=0 ppid=23922 pid=26742 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=16 comm="hostname" exe="/usr/bin/hostname" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="system-locale"

So, while yes, the log message is quite verbose we can clearly see auid=1000 in the log message, which corresponds to the uid of my user account.

For more details on the above example, as well as a brief description of auditd, check out this blog post from IT Security a community blogger (me) imaginatively entitled A Brief Introduction to Auditd.

The ausearch command mentioned by fuero is part of a suite of applications used to search and run reports against these rather thorough logs.