This question is related to my previous question: Log all commands run by admins on production servers
It is company policy for admins to login to the servers via a personal username, and then run sudo -i
to become root. Upon running sudo -i
, sudo will create an environmental variable called SUDO_USER
, which contains the original user's username.
Is it possible to have auditd
include this variable in it's logs for each command? Or a functional equivalent.
This is the current rule set for auditd
:
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Log any command run on this system
#-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve