How can the keyboard logger be enabled for PIM or PAMSC endpoints on Linux/Unix servers?
Privileged Identity Manager or PAM Server Control, Unix endpoints
To enable the Keyboard Logger (available for Unix only)
-> in seos.ini set
kbl_enabled = yes
-> in a selang submit for the user activites to be recorded
AC> exu <user_name> audit(interactive)
-> login as myuser in a supported shell and submit some commands
-> with auditor privileges execute
# seaudit -kbl
-> this returns the session id (e.g. 709)
-> to view the actual recorded data run
# seaudit -kbl -sid 709 -pr
Note:
If you are adding a login shell to the system at a later time please make sure to follow these steps:
-> confirm /etc/shells is referencing the actual binary file of the shell (not the symlink to it), e.g.
...
/bin/ksh93
...
-> confirm the user profile is referencing the actual binary file of the shell (not the symlink to it) as login shell, e.g.
AC> exu <user_name> audit(interactive) unix(shellprog(/bin/ksh93))
-> reload the seos kernel module and rebuild the look aside database, e.g. using these commands
# secons -sk
# SEOS_load -u
# seload
# sebuildla -a
Note:
Please also see these Articles for further details and additional use case: