CAPIM: The result of keyboard logger log on RHEL8
search cancel

CAPIM: The result of keyboard logger log on RHEL8


Article ID: 227739


Updated On:


CA Privileged Identity Management Endpoint (PIM)


The user becomes root in kbl log on GUI (gnome) login.
This happens on RHEL 8 but not on RHEL 7.
To record kbl log for GUI login, define following loginappl rule:
AC> editres LOGINAPPL ('GNOME_KBL') audit(ALL) defaccess(EXECUTE) owner('nobody') loginflags(KBLTRIGGE) loginmethod(NORMAL) loginseq(N3GRP N3GID N3UID N3EID FGRP FGID FUID FEID SGRP SGID SUID SEID) loginpath(/usr/libexec/gnome-terminal-server)
However, after logging into the sever via GUI by normal user, sewhoami command shows the user as root and kbl log also shows the user as root (login/logout log shows correct user).
And login terminal is not shown in logs.
# sewhoami -a
# seaudit -kbl
18 Oct 2021 21:34:34 P LOGIN        user01              11903 12                      cmdlog
18 Oct 2021 21:34:45 O LOGOUT       user01              11903 13                      cmdlog
# seaudit -kbl -sid 11903 -cmd
18 Oct 2021 21:34:41 P TRACE        root         616e1c13:00000100 user01       root         KBL input                 11903  INFO    : SessionCmd:  sewhoami -a


Release : 12.8
Component : CA ControlMinder - Unix


adding following loginappl rule resolved the problem:
AC> er LOGINAPPL SYSTEMD loginpath(/usr/lib/systemd/systemd) loginflags(PAM) audit(all) defaccess(X)