Why can't I run ausearch (part of auditd) remotely over SSH?

Question

Any idea why the following doesn't work? It hangs with no output.

desktop$ ssh myserver "sudo ausearch -k my_key"

However, the following works. It outputs the auditing history of this key from auditd.

desktop$ ssh myserver
myserver$ sudo ausearch -k my_key

The following also works. (Meaning, sudo is not currently set to require a password.)

desktop$ ssh myserver "sudo ls"

score 5 · Accepted Answer · answered Jan 08 '12 at 00:07

Since you logon as a normal user you might not have /sbin in your $PATH, which means that ausearch might not be found. To try this, specific /sbin/ausearch manually in your command line. For some commands you also require ssh to aquire a tty, you accomplish this with the -t flag, so to try this out, type:

ssh -t myserver "sudo /sbin/ausearch -k my_key"

To fully emulate a logged in session you can also call sudo with the -i flag, and then you can probably omit the /sbin (since it worked in your logged in session), as this:

ssh -t myserver "sudo -i ausearch -k my_key"

StephenW · Answer 2 · 2021-03-24T18:40:48.250

1

Instead of the -t option to SSH, try adding --input-logs to the command (see the man page)

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1032706#c13

edited Mar 24 '21 at 18:40

answered Mar 18 '21 at 18:21

StephenW

11
2

This does seem like the more correct answer, not doing any workarounds. You mean `--input-logs`, though? – Amir Mar 23 '21 at 12:55
Yes, thank you Amir (now corrected) – StephenW Mar 24 '21 at 18:55

Why can't I run ausearch (part of auditd) remotely over SSH?

2 Answers2