dtrace discuss - Aug 2008 - Tracking user activity

Hi

I would like to track what users do when they log in to a system. I
don''t want to know every key typed as in shellsnoop and I
don''t want all the execs that I get from execsnoop.

So I thought that it might be really easy combining the shellsnoop with
execsnoop scripts that will give me the exec when one of the  parent process is
an interactive shell.

So I have two questions:

Has anyone done this before or does anybody know how to accomplish what
I''m trying to do?

I obviously don''t really know how to find out in what sequence which
kernel functions/system calls are executed (amongst other things). What would be
an easy way to start building up more knowledge in that field.

Thank you very much for your help.


--
This message posted from opensolaris.org

Chris writes:
> So I thought that it might be really easy combining the shellsnoop with
execsnoop scripts that will give me the exec when one of the  parent process is
an interactive shell.
> 
> So I have two questions:
> 
> Has anyone done this before or does anybody know how to accomplish what
I''m trying to do?
Instead of dtrace, why wouldn''t you use the
''auditing'' feature?  It''s
designed with exactly that sort of usage in mind.

A quick search like this should give you more information about it:

http://www.google.com/search?hl=en&q=site%3Adocs.sun.com+"solaris+auditing"&btnI=I''m+Feeling+Lucky

-- 
James Carlson, Solaris Networking              <james.d.carlson at
sun.com>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677