Provide parity with Linux Audit system for logging real user identity in case sudo/sudo su is used (%user.auid property is needed) #318
Description
When Falco is configured to log EXECVE calls it is not possible to track ID of actual executing user - %user.name returns root and %user.uid return 0.
But Linux auditing system always provides an identity of actual executing user via auid field.
So if user with ID = 1002 runs
$ sudo su
$ touch /bin/myfile12
the Falco log with rule
- rule: All the commands executed by users
desc: an attempt to run interactive commands by any user
condition: spawned_process
output: "User ran an interactive command (user=%user.name uid=%user.uid command=%proc.cmdline)"
priority: INFO
tags: [users]
looks like this
01:54:28.826846427: Informational User ran an interactive command (user=root uid=0 command=touch /bin/myfile12)
while audit record looks like this (note auid=1002 there) which makes it easy to correlate which user run this command as sudo and provide automated response if suspicious activity is spotted
type=SYSCALL msg=audit(1516672468.826:127058): arch=c000003e syscall=59 success=yes exit=0 a0=bea588 a1=be06c8 a2=bde008 a3=598 items=2 ppid=15394 pid=15407 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1811 comm="touch" exe="/bin/touch" key=(null)
type=EXECVE msg=audit(1516672468.826:127058): argc=2 a0="touch" a1="/bin/myfile12"
type=PATH msg=audit(1516672468.826:127058): item=0 name="/usr/bin/touch" inode=46 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00