>You want the vendor to do it right by capturing the relevant data as close to >the kernel as possible. possibly in ld.so ? :-) This is (sort of) related to work I've been doing, but for a different reason. :-) I'm looking to be able to capture/log information about command usage. Things like when user "daemon" or "bin" uses telnet(1) or ls(1) I want to *know* about it. Tracking intrusions is the main reason for this sort of "tripwire" program. I also want the ability to wraper programs against an access control list on a user-by-user basis. e.g. user "bpowell" is allowed to use ps(1) but user "foo" isn't. putting it into ld.so has the advantage of being able to leave the "generic" programs intact. just a thought, ======================================================================= Brad Powell : brad.powell@Sun.COM | | Full Time: Sr. Network Security Analyst |Part time: Cyberspace PI ENS Network Security Group | and Consultant Sun Microsystems Inc. | ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. =======================================================================