sooo close!

psacct does everything we need except log the parameterd to the command. 
  This is important as it simply shows I ran a command - not what I 
really did:

[root@ServerABB account]# lastcomm --user root
lastcomm                root     pts/0      0.01 secs Wed Aug  1 21:19
man                     root     pts/0      0.04 secs Wed Aug  1 21:19
sh                      root     pts/0      0.00 secs Wed Aug  1 21:19
sh                      root     pts/0      0.00 secs Wed Aug  1 21:19
less                    root     pts/0      0.00 secs Wed Aug  1 21:19


man lastcomm does not indicated I can do that, either.

George Toft, CISSP, MSIS
623-203-1760




Jeremy C. Reed wrote:
> On Wed, 1 Aug 2007, George Toft wrote:
> 
> 
>>I am searching for a solution.  Client company is looking for a means to 
>>track all commands issued by root.  PowerBroker has already been 
>>excluded as it will cost over $1M to deploy.  Product must be 
>>inexpensive and supported.
>>
>>I've researched this a bit already, and came up with sudoshell (no 
>>development since 2004) and modifying the bash source code and 
>>recompiling.  Neither solution is acceptable.
>>
>>Any ideas?
> 
> 
> How much detail do you need? BSD systems have accounting of all commands 
> that can be easily enabled -- it has been useful for me.
> 
> Linux has similar capability. Some old links:
> 
> http://www.ibiblio.org/pub/Linux/system/admin/accounts/acct-1.3.73.lsm 
> (source in same directory)
> http://directory.fsf.org/acct.html
> http://www.faqs.org/docs/Linux-mini/Process-Accounting.html
> http://www.linuxjournal.com/article/6144
> 
> Some of my customers use atop. (I installed it recently on CentOS.)
> I found some links:
> 
> http://www.atconsultancy.nl/atop/
> http://aplawrence.com/Words2005/2005_07_09.html
> 
> These both keep logs.
> 
> If they don't record what you want, let us know. (Also FreeBSD recently 
> gained "security event auditing" which has some portable code for Linux 
> called OpenBSM ("M" on the end there).
> 
>   Jeremy C. Reed
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> 
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss