On 2011 Nov 15, at 15:45 , Jo Rhett wrote: > > On Oct 28, 2011, at 2:29 PM, Mark McCullough wrote: >> Is your need to be a keystroke/display logger, or is it to log the commands >> entered? I find these two requirements quite different and actually >> excluding each other. > > This is unclear to me at this time ;-)
I'd say you should decide which is your real goal. The two issues call for very different toolsets. >> I am not a fan of rootsh under any circumstances. > > Can you explain why? Too easy to alter the log invisibly without any evidence of such left on the local system. Far too difficult to actually read the log. I don't care what typos the user made, I care what command they actually entered. When we left it behind, the code was abandoned, no updates, no evidence of activity even. When we tried to read the logs, it was invariably a mess. No one was able to actually pick through it and see what happened. One vi session in the middle and you could forget reading the results. Sending those results through automated filtering and searching? Even worse. I was also always afraid of the possibility of deliberate bogus characters to exploit text viewers to execute commands. Sysadmins are often lazy about reading unsafe files. rootsh also had no provision to not log critical keystrokes the user may have to type, like passwords. I admit, my experience with rootsh is four years old. But we'd been using it for many years before then and were never happy with it. We just didn't have any better option then. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
