I'm struggling with the following task for AuditD
/etc/passwd should be monitored for any access doesn't matter if a cat or sudo cat is used...ok, easy. BUT I should also prevent auditd to log any other sudo commands that are not used to access /etc/passwd
I'm totally lost at this point. Logging each sudo command by -S execve is easy but only for sudo /etc/passwd gives me headaches.
The auid field in auditlog shows you exactly that. You don't need to audit execve calls for that.
From RHEL Audit System Reference:
auid - Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su -john).
For instance, in the following line you could see that the uid was root, but the auid (the original user that ran sudo) was john.
$ ausearch -i -k passwd |grep cat type=SYSCALL msg=audit(10/25/22 14:49:05.149:376) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7fffffffe268 a2=O_RDONLY a3=0x0 items=1 ppid=10413 pid=10418 auid=john uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts8 ses=21750 comm=cat exe=/usr/bin/cat subj==unconfined key=passwd In case you missed, the relevant part is: auid=john uid=root
auditctl -w /etc/passwd -p rwa, but I don't know if you've already tried that and what's missing. This command also shows the pid and process name that accessed the file. Also, I don't understand howsudois related, since you say "doesn't matter if a cat or sudo cat".auidfield. See here: Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su -john)./etc/passwdwill be accessed every time a user runsps -fe,ls -l,top, etc, do you really want to scan through all of those logs?