quick dirty and most of all-easy process accounting via lkm

[security () SUPPORTTEAM NET (Security Team)]

http://www.securityfocus.com/data/tools/exec.c

this utility will log all execvs to syslog in the following format

Nov 15 00:42:27 perly kernel: EXECVE(0)[4837]: /bin/ps uax
EXECVE(UID)[PID].

combined with ngsyslogd you can have some really mean logging

kw

----- Original Message -----
From: <chris () STRICTLY NOSUCKAZ NET>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Saturday, April 15, 2000 8:43 PM
Subject: Re: History Files

> Okay, all this talk about bofh, and nobody has mentioned the easiest
method of doing this, which is not new to linux and provides excellent
accounting on what your users are doing, I'm not sure if this saves
argv[1-x] but I think it does somehow, the base accounting log is enough.
Turn on 'BSD Process Accounting' in your kernel and get the bsd process
accounting package for your linux distribution.  Now with the simple
command: lastcomm, you see everything.
> The only other 'secure' way I can think of doing this, that would achieve
the best results without using cludgy scripts or a massive overhead on some
'tail' process hanging off every shell's stdin fd, is have your shells
patched to dump all input to a file or something.  Process Accounting rocks
though, I don't understand why your not using it already or why this
wouldn't finish this thread. =)
> Chris.
>
> On Sat, 15 Apr 2000, audit wrote:
>
> `->Greeting's,
> `->
> `->I admin a few Linux servers and have a question about user's
.bash_history
> `->files. The users on the systems keep their history files but I would
like
> `->to have what they type logged to /root/history/$user_history
> `->I know that this is not polite on my end or the other co-admin's but we
> `->need to know what our users are doing at all times. These are slackware
> `->boxes and some RedHat boxes.
> `->
> `->Thanks
> `->