Actually these aren't root users they are users that have access to a specific user / group for admin of a particular application we think we know what group is killing these process but we don't have proof and they keep denying what they are doing...
Why is it crashing my system that's a good question... I have /var/audit mounted on it's own file system and it's own disk... the entire file system locks up when the file system gets full with logs.. -------------- Brian Carpio CSG Systems Inc. Open Systems Unix System Admin x3317 -------------- On Thu, 17 Jan 2002 [EMAIL PROTECTED] wrote: > On Tue, 15 Jan 2002, Brian Carpio wrote: > > > > > All, > > > > I have a situation where I need to monitor all user activity on a server > > (just certain users) like file creation, the killing of processes etc, > > because I believe there is someone doing things they shouldn't be but I > > can't find out who is doing what.. > > Killing of processes? Are you monitoring people who have root access and > are malicious? (!). Good luck! Sounds like a personnel management > problem, not a systems management problem. How do you know they're not > going to tamper with your audit trail? > > > > > I tried to impliment BSM on a E1000 and an E450 but I seem to have the > > same problem with both servers .... when the log dir gets full the system > > locks the file system and I have to reboot the server.. or the entire > > system just crashes... > <snip> > > > Why is it crashing your system? > Are you auditing into / or /var ? If so, put the audit files on their own file > system or, better, their own disk. > > If you haven't already, > Take a look at the "Administering Auditing" section of the docs for > suggestions on managing the flood of data > >http://docs.sun.com:80/ab2/coll.47.11/SHIELD/@Ab2PageView/522?DwebQuery=bsm&oqt=bsm&Ab2Lang=C&Ab2Enc=iso-8859-1 > > Also, the Sun Blueprint on auditing > http://www.sun.com/blueprints/0201/audit_config.pdf >
