A couple ideas spring to mind. The first and easiest to implement is process accounting. It can be turned on within the kernel, BSD Process Accounting under General Setup. The drawback there is that you don't get command line arguments.
Another option would be the logging that comes with something like the GrSecurity kernel patch. http://www.grsecurity.net/ If you're going to be allowing shell access you'll probably want something like grsec anyway, among other things. Hope that helps. Steve On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > For a box that will have limited shell access, I'm looking for something > that will log all commands. The sudo log is nice but not everything is run > through sudo. > > There won't be many privacy issues as most users won't have shell. > > The goal is to review a daily report for anything unexpected: stuff like: > > tar -xzf rootkit.tar.gz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]