Re: process accounting
Date: Tue, 27 May 2003 18:50:06 -0400 To: Reveret Julien <email@example.com>
On Tue, May 27, 2003 at 07:15:02PM +0200, Reveret Julien wrote:
> > > What you can do is patch your system with grsec patches, or patch your
> > > users' shell. There is a patch for bash which makes bash logs everything
> > > that is typed (I don't remember the url, search for bash+logging+patch).
> > Why don't you use the good old process accounting feature ?
> Because this guy wants to log all the arguments of every command run by
> users, process accounting doesn't.
also, there are commands which bash will execute, but do not
translate into a separate command (builtins). these include,
but are not limited to: cd, dirs, for, while, alias, set,
export, <variable-assignment>, <file-sourcing>, and so forth.
an interesting approach would be to do something like:
cat < /etc/passwd
the user ran "cat" and that is logged, but the interesting
part of the activity (namely the looking at the password
file) is not logged.
more, the following script:
while read line
done < /etc/passwd
is all shell builtin's, nothing will be logged as no exec's
occur, but i've read the password file nonetheless.
-- Mark Smith mark at winksmith dot com mark at tux dot org