> A good record log format is like that obtained using sudo (with log
> enabled) :
>
> Jun 30 14:22:16 : it32673 : TTY=pts/1 ; PWD=/home/it32673 ; USER=root ;
> COMMAND=/bin/df -h
>
> ...where "it32673" is the user that has launched the COMMAND=.
The sudo log gives you some basic ideas and for very locked down
configurations will give you useful info (but not for more general ones)
- if your log says
COMMAND = more /var/log/messages
what happened ? It could be what it seems or it could be the user then did
!vi /etc/passwd
at the more command prompt
> Do you know if there is specific rules of PAM (etc/pam.d/su ?) to do it
> (i.e. adding specific call, increasing the debug..) or by setting
> system parameter ?
The later kernels have a full audit subsystem. I don't know if thats in
the SLES product or not but it provides a proper audit trail and logging
of what actually happened not just what was typed
You need to ask SuSE/Novell about the audit features I think. That will
give you all you wanted to know (and unless you turn it down a lot lot
more)
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
