Customers need the ability to track users as they SU to root and perform command line activities as root.
This capability exists in the product today. I’ve highlighted the relevant options in the screenshot below:
· Log process assignment messages: Enable this to get an event for each process as it’s created. We normally don’t enable this for interactive UNIX PSETs because UNIX shells start processes left & right, so you get a large amount of activity.
· Log process assignment command line arguments: Enable this to get the actual command line arguments included in the process assignment event.
Enable both of these to log command line argument events. These options exist for each PSET at the group and global levels. So if You only want to enable this for root users, they can just enable it there.
PLEASE NOTE: Normal Process Set (PSET) assignment messages do not get marked as real-time events and thus are not sent to the management server. If you wants all of these sent to the server and visible in the Console, you’ll have to modify the your logging rules in your IPS configuration to make that happen.