Well my, my, what a bunch of well thought out answers! The basic problem you face unless you use kind of MLS option is that the user is root, therefore anything that you do can be changed by them, its a bit catch 22 really. You could write your logs across the network to an NFS device that does not allow root access, this raises the bar a bit, however in most environments root could simply su to the user that owned the auditing information and then change it, however if the admins that you wish to audit do not control your naming service this becomes more difficult, but hey then they can just change /etc/nsswitch.conf and use the local file! So as you can see this auditing is a difficlut subject before we even get on to how to audit them (surely running script was a joke? You would have to exec script to stop the user from exiting out of it and as soon as you exec it you lose your environment - duh).
The only way to do this kind of thing is to use a MLS version of UNIX, I beleive trusted system mode implments this, in this scenario you have permissions applied to system calls in the kernel, you have one user who is root and the hold all the cards apart from the right to assign kernel permisisons and alter the audit information, the other user (formerly known as your security officer), can assign kernel level priveledge and alter the audit information.
Hope this helps.
