Pascal was discussing command-line auditing... this is almost keystroke monitoring; if you're going to go to that length, y'might as well shovel everyone through a shell shim that sets up a pair of PTYs and logs all the characters that the user stuffs through it. There have been times, though, when I've REALLY wanted more information than what "lastcomm" gives us [if it gives us anything at all]. I remember an occasion when I wound up using that old TIOCSTI program to bang "history > /tmp/xxx" into an intruder's [?] input buffer, just so I could see what he'd been doing all that time. It worked, and then someone pointed out that the machine in question had "gcore", which wouldn't have clued the guy in that I was on to him... _H*