Information
sudo provides users with temporary elevated privileges to perform operations. Monitor the administrator with temporary elevated privileges and the operation(s) they performed.
Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.
Rationale:
creating an audit log of administrators with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo logfile to verify if unauthorized commands have been executed.
Solution
For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules:
Example: 'vi /etc/audit/rules.d/actions.rules
Add the following line:
-a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules:
Example: 'vi /etc/audit/rules.d/actions.rules
Add the following lines:
-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions