Quote:
Originally Posted by daisychick
I'm looking for an auditing software that would show in depth reports of all commands input by users and all files touched. Can anyone make a recommendation?
|
Sure can:
0) The
auditd service allows you to create rules to selectively log anything done by users via system call usage (not invasive if your kernel supports audit),
1)
loggedfs (see example outout in the
auditd missing syscalls? thread) allows you to selectively log anything done by users using FUSE (depends on FUSE),
2)
Inotify allows you to watch syscall usage somewhat similar to audit,
3) There's a few
Bash logging patches around (invasive: have to replace users shell with patched version),
4) Rootsh allows you to log complete users shell history including key strokes and file contents (invasive: have to replace users shell with rootsh),
//*) For completeness sake long-forgotten tool
eliott watched directories for files creation/deletion/writes using
dnotify (but that was old school kernel 2.4 stuff).