Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit :
Wouldn't another option be to audit the exec of particular
executables you are interested in knowing if someone runs?
Obviously you won't know what they are typing into text documents and such, but is
that really required? Most places don't allow key loggers at all and it sounds like
that's what you've got.
Nop that's not required, what is required is to log every
root-privileged actions, sudo goes in /var/log/secure, real root shells
nowhere. The only solution I found was with pam_audit_tty that has the
side effect to log every keystroke but I'm open to other solutions,
creating a list of binary to watch cannot be one.
--
Cheers,
Florian Crouzat