How can the keyboard logger be enabled for PIM or PAMSC endpoints on Linux/Unix servers?

Privileged Identity Manager or PAM Server Control, Unix endpoints

To enable the Keyboard Logger (available for Unix only)

-> in seos.ini set
    kbl_enabled = yes
-> in a selang submit for the user activites to be recorded
    AC> exu <user_name> audit(interactive)
-> login as myuser in a supported shell and submit some commands

-> with auditor privileges execute
    # seaudit -kbl
-> this returns the session id (e.g. 709)
-> to view the actual recorded data run
    # seaudit -kbl -sid 709 -pr

Note:
If you are adding a login shell to the system at a later time please make sure to follow these steps:
-> confirm /etc/shells is referencing the actual binary file of the shell (not the symlink to it), e.g.
  ...
  /bin/ksh93
  ...

-> confirm the user profile is referencing the actual binary file of the shell (not the symlink to it) as login shell, e.g.
    AC> exu <user_name> audit(interactive) unix(shellprog(/bin/ksh93))

-> reload the seos kernel module and rebuild the look aside database, e.g. using these commands
  # secons -sk
  # SEOS_load -u
  # seload
  # sebuildla -a

Note:

• the KBL is not a full keyboard logger, it merely forwards the strings entered in an interactive shell to the kbl.audit file
• he following shells are supported: bash, tcsh, csh, ksh, jsh, rsh, ash, zsh
      Please make sure the shell you use is listed accordingly in /etc/shells
      (if you are facing issues please confirm the above steps in a Linux box with a bash)

Please also see these Articles for further details and additional use case:

• PAMSC - Can I send kbl.audit events to a collector system or syslog
• key logger not record entered commands