enhancing user activity tracking

[Birbone]

I need your help in resolving the details of an idea that I had on enhancing user activity tracking.

The given is that the user has access to their own sh_history file and can make changes (i.e. cover their tracks). We’re utilizing the Bourne shell (/bin/sh) for our system functions and the Korn shell (/bin/ksh) for the user’s startup program.

What we need to figure out, is a way to duplicate what is written by the shell to a user’s sh_history file. The duplicate entry will need to be written to another specified file in a restricted directory (i.e. /var/adm/usrlog/.username.log). This way if the user deletes entries in their own sh_history file, the original commands will still exist in the duplicate file.

I am tired of user deniability. Any ideas? -B
birbone@earthlink.net

 

[KenCunningham]

You could use cron to periodically copy users' .sh_history file to your specified directory, giving it, say, a username and date/time extension. I guess the problems with this approach might be a) What period would be appropriate for the copy (I imagine it would need to be fairly short) and b) The need to tidy up your specified area as it's size and the number of files grows.

Not much help, but I'd be interested to hear other ideas. There may even be commercial products whic deal with this sort of thing. Cheers.

 

[Birbone]

I did a cross thread referencing this thread in a different forum. Check out the solutions offered in thread822-419605. -B
birbone@earthlink.net