On Apr 13, 2010, at 11:36 AM, Matt Lawrence wrote: > system to misbehave and can't remember exactly what. Command line logging > with a timestamp is quite adequate for this situation.
One simple approach might be the good ol' xSH-Paranoia patch (http://freshmeat.net/projects/xsh-paranoia/) that was frequently used in honeypots. It logs every shell command to syslog, along with the UID information from utmp. This includes the ability to track the original user after a su. The patch was originally written for bash 2.x, but with lots of patch fuzz or a little bit of manual work it will happily apply and work with the bash 3.2 source code from CentOS5. It seems that the official upstream source for the patch has withered away over time, so I've persisted a copy here: http://www.binarytribe.com/share/jpenix/bash-paranoia.patch -- Joshua Penix http://www.binarytribe.com Binary Tribe Linux Integration Services & Network Consulting _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
