Quote:
Originally Posted by
DukeNuke2
The advantage of the above tool is that you can track all exec() calls made by a particular user; only a very clever hacker-user would be able to hide his tracks.
The advantage of the rootsh tool is that it is not Solaris-specific, and tracks actual command-line usage. The advantage of command-line usage is you can see what the user was trying to do, whereas with auditing, you see what the user actually did.
The choice depends on whether you are trying to account for activity ("Why is the computer always slow when Joe is using it"), or track what users are trying to accomplish. ("I typed make, but it didn't work!")
PS: If you are trying to help users through shell interactions, a useful tool is
screen (GNU), which allows users to "share" a virtual terminal.