one method I've used before is to replace the user's shell in
/etc/passwd with a script that straces the user's real shell,
and logs all exec system calls (i.e. 'strace -ftv -e trace=process -o <somefile> <realshell>')



On 06/17/2002 11:16 -0400, Tyler wrote:
>>	On Mon, Jun 17, 2002 at 09:09:39AM -0600, Abiy,Mike [Edm] wrote:
>>	> 
>>	> The part that I am more concerned about is the keystrokes used (commands
>>	> run) during the the rmote login session. i can find out who logged in from
>>	> the wtmp file in /var/log , but i would like to be able to find what
>>	> commands they used during a particular session.
>>	> thanks
>>	> mike  
>>	
>>	Not really, unless you set up a keystroke logger ahead of time.  You
>>	could always read the user's ~/.bash_history or equivalent, but
>>	if the user is doing something malicious, he or she will probably remove
>>	or alter that file.
>>	
>>	-- 
>>	tyler at zerodivide dot cx
>>	AIM: zerodivide1101
>>	Mobile SMS: tyler-mobile at zerodivide dot cx
>>	-
>>	To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>>	the body of a message to majordomo@vger.kernel.org
>>	More majordomo info at  http://vger.kernel.org/majordomo-info.html
End of included message



-- 
twalberg@mindspring.com