Tonnerre Lombard <[EMAIL PROTECTED]> wrote: > On Thu, 2006-09-21 at 11:59 -0700, Keith Bucher wrote: > > One option that I've used to log these commands is sudosh > > (http://sourceforge.net/projects/sudosh/). It acts as a login > > shell, but logs all commands/keystrokes and allows easy > > playback/review of them for auditing. > > What if one of the commands is /bin/ksh? Or if the person in question > runs sudo /bin/ksh?
Download the source (v1.6.3 is available from SourceForge). Try it. The source code needs at least one code change to compile with GCC v4.x on Solaris 8 - add #include <string.h> but it needs to be wrapped in #ifdef HAVE_STRING_H and #endif since the autoconfigure process looks for it). You will find that it actually runs the shell in an environment with pty (pseudo-tty) input and output, and it logs the input and output. So, this includes all the sub-processes, of course. In other words, it does do as advertised and keylogs the activities of the super-user (if it is a super-user who runs it). There's also a mechanism to replay what happened - sudosh-replay - which can do the job at the same speed as the user typed it, or faster if you set the command line options. This allows you to see what the logged user saw. Clearly, a cognizant root user could find the log files and remove them; I don't think there is much you can do about that, unless you hacked sudosh to log over a network connection to an unsubvertible machine. There's supposed to be a version 2 product renamed EAS (Enterprise Audit Shell) available at http://download.strchr.net but it requires registration somewhere to get at the material so I haven't looked at it. See the Sourceforge page for more information. -- Jonathan Leffler ([EMAIL PROTECTED]) STSM, Informix Database Engineering, IBM Information Management Division 4100 Bohannon Drive, Menlo Park, CA 94025-1013 Tel: +1 650-926-6921 Tie-Line: 630-6921 "I don't suffer from insanity; I enjoy every minute of it!"
