Looking inside sudo shell sessions: auditd, session recordings, log_subcmds

-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=subcom
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=subcom

service auditd restart 

ausearch -ua czanik
----
time->Wed May 25 14:32:34 2022
type=USER_ACCT msg=audit(1653481954.458:384): pid=18647 uid=1000 auid=1000 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="czanik" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed May 25 14:32:34 2022
type=USER_CMD msg=audit(1653481954.459:385): pid=18647 uid=1000 auid=1000 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/czanik" cmd="/bin/bash" terminal=pts/1 res=success'
----
time->Wed May 25 14:32:34 2022
type=CRED_REFR msg=audit(1653481954.459:386): pid=18647 uid=0 auid=1000 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed May 25 14:32:34 2022
type=USER_START msg=audit(1653481954.468:387): pid=18647 uid=0 auid=1000 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed May 25 14:32:34 2022
type=PROCTITLE msg=audit(1653481954.469:388): proctitle="/bin/bash"
type=PATH msg=audit(1653481954.469:388): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=33184 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1653481954.469:388): item=0 name="/bin/bash" inode=50333354 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1653481954.469:388):  cwd="/home/czanik"
type=EXECVE msg=audit(1653481954.469:388): argc=1 a0="/bin/bash"
type=SYSCALL msg=audit(1653481954.469:388): arch=c000003e syscall=59 success=yes exit=0 a0=5620ac437228 a1=5620ac448ee8 a2=5620ac46d8c0 a3=0 items=2 ppid=18647 pid=18649 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="subcom"
----
time->Wed May 25 14:32:34 2022
type=PROCTITLE msg=audit(1653481954.472:389): proctitle=747479002D73
type=PATH msg=audit(1653481954.472:389): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=33184 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1653481954.472:389): item=0 name="/bin/tty" inode=52490149 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1653481954.472:389):  cwd="/home/czanik"
type=EXECVE msg=audit(1653481954.472:389): argc=2 a0="tty" a1="-s"
type=SYSCALL msg=audit(1653481954.472:389): arch=c000003e syscall=59 success=yes exit=0 a0=1283830 a1=1284800 a2=1282980 a3=7ffc87010020 items=2 ppid=18649 pid=18650 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="tty" exe="/usr/bin/tty" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="subcom"
----
[...]
----
time->Wed May 25 14:32:34 2022
type=PROCTITLE msg=audit(1653481954.594:407): proctitle=2F7573722F62696E2F6964002D75
type=PATH msg=audit(1653481954.594:407): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=33184 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1653481954.594:407): item=0 name="/usr/bin/id" inode=50407098 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1653481954.594:407):  cwd="/home/czanik"
type=EXECVE msg=audit(1653481954.594:407): argc=2 a0="/usr/bin/id" a1="-u"
type=SYSCALL msg=audit(1653481954.594:407): arch=c000003e syscall=59 success=yes exit=0 a0=12f8620 a1=1311d70 a2=1277440 a3=7ffc8700f6e0 items=2 ppid=18681 pid=18682 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="id" exe="/usr/bin/id" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="subcom"
----
time->Wed May 25 14:32:39 2022
type=PROCTITLE msg=audit(1653481959.289:408): proctitle=636174002F6574632F706173737764
type=PATH msg=audit(1653481959.289:408): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=33184 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1653481959.289:408): item=0 name="/bin/cat" inode=50334420 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1653481959.289:408):  cwd="/home/czanik"
type=EXECVE msg=audit(1653481959.289:408): argc=2 a0="cat" a1="/etc/passwd"
type=SYSCALL msg=audit(1653481959.289:408): arch=c000003e syscall=59 success=yes exit=0 a0=12813b0 a1=13a3360 a2=1277440 a3=7ffc87011660 items=2 ppid=18649 pid=18687 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="subcom"
----
time->Wed May 25 14:32:41 2022
type=USER_END msg=audit(1653481961.054:409): pid=18647 uid=0 auid=1000 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed May 25 14:32:41 2022
type=CRED_DISP msg=audit(1653481961.055:410): pid=18647 uid=0 auid=1000 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

Defaults log_subcmds
Defaults log_format=json

Aug 30 13:13:14 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/joe
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/sh -c /bin/bash
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/bash
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/readlink /proc/10889/exe
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/dircolors -b /etc/DIR_COLORS
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput hs
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput -T dumb+sl hs
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput bold
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput setaf 1
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput sgr0
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/sbin/ip --color=auto -V
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/readlink /proc/10889/exe
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tty
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/uname -m
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/uname -n
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/uname -m
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/manpath -q
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/flatpak --installations
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/cat /etc/sysconfig/mpi-selector
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/sed -r s@/*:|([^\\]):@\1\n@g;H;x;s@/\n@\n@
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tty
Aug 30 13:13:42 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/id
Aug 30 13:13:56 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/ls -A -N --color=none -T 0 /usr/share/syslog-ng/include/scl/

Defaults log_input, log_output

Looking inside sudo shell sessions: auditd, session recordings, log_subcmds

Before you begin

Using auditd

Using log_subcmds

Session recordings