Over at one of IBM’s many developer websites, there’s an article on new features of the Korn Shell. “New features of the Korn Shell provide system administrators and management with the ability to monitor, track, record, and audit every command executed by any user of a system. This is different from the normal shell history, and provides detailed information that includes date, time, tty, user, and the command. This information can be stored locally or transmitted in real time to a remote logging system.”
KornShell 93 Auditing
Submitted by BlueVoodoo 2008-09-04 General Development 3 Comments
What a neat document. IBM has a lot of these little mini-unix-whitepapers that are always fun to read. Historically, I have really disliked ksh and never wanted to use it, but this brings an interesting perspective, but I like zsh :o)
Pretty great feature to be sure, and long overdue. However it’s not exactly a watertight solution. It’s better than nothing, but I think it would not be difficult to get around this logging, starting with firing up a different shell, or masking your commands by running them in a script.
At one time a truly excellent solution for shell auditing was the OSS project Enterprise Audit Shell, but unfortunately that project was quickly shut down when the source code was bought by some company that turned it into a commercial product.
I’ve always thought that taking up the last version of the source that was released and running w/it would be a great OSS project to get involved with, but I have no time for it.
I can imagine the first command that anyone who wants to get actual work done would issue would be “bash” or “zsh”
Granted the auditing is probably INTENDED as soimething to run on a server to try and catch hackers, but the potentials for abuse are, to put it mildly, immense.