On Thu, 27 Oct 2005 15:46:08 CDT, Mark Bainter said: > I'm looking to write a fairly simple (at least at first) module that I can > use to just log all of the commands root executes on a machine. Subtle distinction you might need to be aware of - is the requirement to log all processes that run as root, or to log actual commands entered while logged in as (or su'ed to) root? There haven't been any *logins* as root on my laptop since 4AM when the accounting file got rolled over - but 'lastcomm | grep root | wc' returns a number well over 1,200. Similarly, if somebody is logged in as root, and does something like 'cd /usr/src/linux-2.6.14; make clean; make' that could be 50K or more processes launched by the 'make'. "log all processes run as root" is probably best addressed via auditd/auditctl. Bonus points if you can figure out why somebody on the list will probably point out that "log all commands entered" doesn't paint an accurate story either - but two hints are (a) most editors can cause multiple modes of mischief and (b) the first tool *I*'d think of using here would be Sebek - 3.0 recently came out, and it's apparently been fixed up to support the 2.6 kernel (previous sebek versions hijacked an entry in the syscall table, a no-no under 2.6).
This archive was generated by hypermail 2.1.3 : Fri Oct 28 2005 - 07:54:02 PDT