Question:

While keyboard logger is running, why does the finger command show two entries for one session?

Answer:

When KBL is enabled it intercepts login session and additional process sits on terminal line between shell tty and connection. This process is cmdlog and this process creates additional tty shown in command "who". There is no way to avoid two lines per single login when KBL is enabled. When shell scripts performs exit / terminate the cmdlog process also terminates and cleans tty record. Killing process with forced termination kill -9 is not good idea, because it prevents graceful termination and clean up.

Additional Information:

For more information on the keyboard logger, please see our Implementation Guide.

https://docops.ca.com/cminder/12-9/EN/reference/reference-guide/services-and-daemons-in-detail/kblaudmgr-daemon-session-logging