Looking inside sudo shell sessions: auditd, session recordings, log_subcmds
There are situations where you cannot avoid giving a user full shell access through sudo. A shell with administrative privileges gives complete control over your hosts. Until recently, sudo could only log the start of the shell, not the commands executed within it. You could record sessions with sudo, but watching recordings is boring, time consuming and can still be subverted. Version 1.9.8 introduced logging of sub-commands, but that is not yet available on many systems. An alternate approach is to use auditd to log commands started from a root shell.
From this blog you will learn how to use auditd to log commands from a sudo-run root shell, why it is better to use the sub-command logging built into recent sudo releases, and why you should still record sessions with sudo.
You can read the rest of my blog at https://www.sudo.ws/posts/2022/05/looking-inside-sudo-shell-sessions-auditd-session-recordings-log_subcmds/
