[ksh93-integration-discuss] KSH93 to assist in Auditing

[David Korn]

Subject: Re: [ksh93-integration-discuss] KSH93 to assist in Auditing
--------

> Hello, 
> 
>  I have a need for command auditing of other administrators with root access.  W
> hile I can accomplish this with BSM there are several short comings, namely a pe
> rformance overhead, lack of environment context (PWD), and an inability to see a
> rguments (execve without ARGV[]).
> 
>  There are wrappers out there like "rootsh" which I like but don't feel is produ
> ction safe.
> 
>  In general, I need run commands sent syslog complete with arguments, any additi
> onal information (command output) would be icing on the cake.
> 
>  KSH93 does a wide range of things beyond my expectation.  Is there any way that
>  KSH93 could help me in this regard?
> 
>  benr.
>  
>  

There is a compile option name, SHOPT_AUDIT, and another named
SHOPT_AUDITFILE which can be set the name of the audit file.
The audit file specifies which id's are to be audited and
where the information should be written to.  If you want
to log it on a server on another system you can use the /dev/tcp/host/port
name.

This log file information from users whose real or effective
uid is listed in the auditfile. Each message contains contains
the effective and real uid, time, terminal and complete command that
was input.

However, the auditing option is not the default.  The audtifile name
default to /etc/ksh_audit.

David Korn
dgk at research.att.com