Subject: Re: [ksh93-integration-discuss] KSH93 to assist in Auditing --------
> Hello, > > I have a need for command auditing of other administrators with root access. > W > hile I can accomplish this with BSM there are several short comings, namely a > pe > rformance overhead, lack of environment context (PWD), and an inability to > see a > rguments (execve without ARGV[]). > > There are wrappers out there like "rootsh" which I like but don't feel is > produ > ction safe. > > In general, I need run commands sent syslog complete with arguments, any > additi > onal information (command output) would be icing on the cake. > > KSH93 does a wide range of things beyond my expectation. Is there any way > that > KSH93 could help me in this regard? > > benr. > > There is a compile option name, SHOPT_AUDIT, and another named SHOPT_AUDITFILE which can be set the name of the audit file. The audit file specifies which id's are to be audited and where the information should be written to. If you want to log it on a server on another system you can use the /dev/tcp/host/port name. This log file information from users whose real or effective uid is listed in the auditfile. Each message contains contains the effective and real uid, time, terminal and complete command that was input. However, the auditing option is not the default. The audtifile name default to /etc/ksh_audit. David Korn dgk at research.att.com
