[ale] Need an method of recording command line operations for auditing purposes

[Michael B. Trausch]

On Wed, 2010-06-16 at 11:12 -0400, Mills John M-NPHW64 wrote:
> I just tried '$ xterm -l' on an 'ubuntu-9.04' box and it does seem to
> work. ('man' pages says the option may be disabled for security - I
> guess not in this distro.) Unfortunately the resulting log is
> completely accessible to the user.

Try "man script"; all you would need to do is have it start a new log
every time a user logs in, and then when that log file is created, have
another process open the log file and delete the file on disc.  Then,
periodically snapshot the file to a secure location (presumably
somewhere where the user being monitored has no read nor write nor
search access).  When the user logs out of their session and the script
program holding the file open ends, you can then copy the file in its
entirety to secure storage and close the file, which will delete the
original.

Note that this is exceptionally UNIX specific; it takes advantage of the
fact that you can delete a file that is held open and it won't truly be
deleted until such time as the file is actually closed.  It also makes
the assumption that the script program does hold the file open the
entire time.

If you use the timing data feature, you can recreate the user's shell
sessions pretty accurately.  The only thing that you would need to know
to play the thing back is the size of the terminal that they were
running.

Also note that this works for not just normal command line stuff, but
can save the use and output of full-terminal software as well.

	--- Mike