[ale] Command auditing

Christopher Fowler cfowler at outpostsentinel.com
Mon May 5 21:34:38 EDT 2003


On Mon, May 05, 2003 at 09:28:24PM -0400, Fletch wrote:
> >>>>> "Christopher" == Christopher Fowler <cfowler at outpostsentinel.com> writes:
> 
>     Christopher> Is anyone here doing command auditing?  I would like
>     Christopher> every command executed via the shell to be send as an
>     Christopher> auth message to syslog.  I have it wokring now but I
>     Christopher> had to modify the source code to ash to make this
>     Christopher> happen.  I was hoping there was another way.
> 
> You could write wrappers for execve() and friends which do your
> logging and then load that using LD_PRELOAD.
> 

Funny you should mention that.  I'm doing that now.  One problem I've
encounterd is that syslog(3) will not play well in my wrappers since
an openlog(3) will destroy the applications previous openlog.  What
I thinking about doing is a fork() in the wrapper and the child will
then do the open, log, close functions of syslog(3).

I've got logging working now, I'm just cleaning it up and trying to
think of a simplier way to do it.

Chris


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list