Thanks Brant, Unfortunately, that 2.6 kernel thing is a deal buster as they use 2.4 kernels. However, this is pretty cool - thanks for the info! George Toft, CISSP, MSIS 623-203-1760 Brant Evans wrote: > George, > > Look into LAuS (Linux Audit Subsystem). It has the ability to watch > commands as well as system calls. I don't remember if it records > command-line options or not. > > LAuS is in 2.6 kernels. To get started look at the man pages for > auditd and auditctl. > > Brant Evans > > > On 8/1/07, George Toft wrote: > >>sooo close! >> >>psacct does everything we need except log the parameterd to the command. >> This is important as it simply shows I ran a command - not what I >>really did: >> >>[root@ServerABB account]# lastcomm --user root >>lastcomm root pts/0 0.01 secs Wed Aug 1 21:19 >>man root pts/0 0.04 secs Wed Aug 1 21:19 >>sh root pts/0 0.00 secs Wed Aug 1 21:19 >>sh root pts/0 0.00 secs Wed Aug 1 21:19 >>less root pts/0 0.00 secs Wed Aug 1 21:19 >> >> >>man lastcomm does not indicated I can do that, either. >> >>George Toft, CISSP, MSIS >>623-203-1760 >> >> >> >> >>Jeremy C. Reed wrote: >> >>>On Wed, 1 Aug 2007, George Toft wrote: >>> >>> >>> >>>>I am searching for a solution. Client company is looking for a means to >>>>track all commands issued by root. PowerBroker has already been >>>>excluded as it will cost over $1M to deploy. Product must be >>>>inexpensive and supported. >>>> >>>>I've researched this a bit already, and came up with sudoshell (no >>>>development since 2004) and modifying the bash source code and >>>>recompiling. Neither solution is acceptable. >>>> >>>>Any ideas? >>> >>> >>>How much detail do you need? BSD systems have accounting of all commands >>>that can be easily enabled -- it has been useful for me. >>> >>>Linux has similar capability. Some old links: >>> >>>http://www.ibiblio.org/pub/Linux/system/admin/accounts/acct-1.3.73.lsm >>>(source in same directory) >>>http://directory.fsf.org/acct.html >>>http://www.faqs.org/docs/Linux-mini/Process-Accounting.html >>>http://www.linuxjournal.com/article/6144 >>> >>>Some of my customers use atop. (I installed it recently on CentOS.) >>>I found some links: >>> >>>http://www.atconsultancy.nl/atop/ >>>http://aplawrence.com/Words2005/2005_07_09.html >>> >>>These both keep logs. >>> >>>If they don't record what you want, let us know. (Also FreeBSD recently >>>gained "security event auditing" which has some portable code for Linux >>>called OpenBSM ("M" on the end there). >>> >>> Jeremy C. Reed >>>--------------------------------------------------- >>>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>>To subscribe, unsubscribe, or to change your mail settings: >>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> >>> >> >>--------------------------------------------------- >>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>To subscribe, unsubscribe, or to change your mail settings: >>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss