-----Original Message----- While a little more verbose than one might like, couldn't you audit exec() system calls? That would certainly capture all the commands issued from a shell. However, you might want to only audit successful exec()s. As I recall from auditing *nix systems years ago, shells tend to just start trying to execute a command name along your path and if it fails, it tries again with the next path (for example, the command doesn't exist in /usr/local/bin, let's try /usr/bin and then /usr/sbin, etc.) This would pick up other exec()s as well, but you should be able to generate reports to find the ones that were issued by a shell. Just a thought. --Tad Taylor Message: 3 Date: Thu, 26 Apr 2007 11:10:05 -0400 From: Steve Grubb <[EMAIL PROTECTED]> Subject: Re: Recording user command ? To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" On Thursday 26 April 2007 10:32, Gavin White wrote: > In addition to recording system calls, file activity etc, I would like > to record issued commands, ie. anything typed into a shell by a user. > > Is this a reasonable thing to do with auditd? Is it possible? Well, there are 2 kinds of users, root and everyone else. What everyone else does cannot be logged by the session they are running in because it does not have enough privileges to log to the audit system. For the root user, it has enough privileges to log. We are working on a solution for this problem. I think most security targets are only interested in actions performed by the root user since they can affect the machine in many ways. So, as it stands today, it can't be done with the audit system. We hope to have something that starts to address the problem soon. -Steve ------------------------------ -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit End of Linux-audit Digest, Vol 31, Issue 12 *******************************************
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
