James Gray wrote:
Not directly. You can imply what *might* have happened from the changes made. Best option is to install a key-logger. We use key-loggers on all our core *nix boxen mainly because there are a few people with root's password (7 or 8 senior admins - the rest get sudo). Root's .history file is a symlink to /dev/null. So we use a keylogger that sends all the keystrokes to another machine :) Sorta like remote syslog.That wont handle the case of a remote login, either rsh or ssh ... or via the serial console.
Is placing a keylogger even legal, with or without the employee's knowledge ?
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
