Here is a patch, probably something want to test before using on
a production box.
http://www.linbsd.org/log_execve.38.patch
It logs commands to syslog like this:
EXECVE: uid:1000 fullpath:/bin/ls command:ls foo
EXECVE: uid:1000 fullpath:/sbin/dmesg command:dmesg
EXECVE: uid:1000 fullpath:/usr/bin/touch command:touch fff
It works for any execve calls made by users with UID > 1000
so as to not spam you with the root and system processes.
I would lock down the logs if this was to be used on any production
server.
Works fine on 3.8 should work on -current as well.
Let me know.
-Ober
On Sat, 24 Dec 2005, MK wrote:
Hello
I'm trying to log all command which are entered by users but till now still
without success. I think I was close with "accton" and "lastcomm" commands
but unfortunetaly it logs only commands without parameters, so for instance
if I disable pf, "pfctl -d" I have in log only pfctl so there is now way, to
figure out what exactly happened.
I also modified syslog.conf to log all in debug mode but as I expected it
didn't help. It seems that Google doesn't have any idea as well.
Is there any solution for my needs?
Thanks a lot for any idea
MK
