To be more precise, most Unices do have accounting facilities that will record the name of every process that's run. These are not usually (never?) turned on by default.

The problem with this is that all it really records is the name of the process. Assuming that the user is intending to be sneaky, he's likely to rename the process ``ls'' or ``pine'' or ``top'' or ``BitchX'' or something else that's not likely to draw attention, just so that it becomes more difficult to find it in process accounting or simple process listings.

The detectable thing that's closest to uniquely identifying it will be the TCP connection to an IRC server. Of course, then you have to do more investigation if the process name is ``BitchX'', as long as innocuous IRC is allowed.

If he's looking to prevent this sort of thing, he might want to make a different filesystem for users home directories and mount it ``noexec'', so that they can't run programs that they put on the system themselves. He'd probably want to make /tmp ``noexec'' as well.