key logger not record entered commands
search cancel

key logger not record entered commands

book

Article ID: 9048

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

The commands are not shown in key logger command log via 'seaudit -kbl -sid xxx -cmd' if the commands are entered before returning to prompt from previous command.

example:
1. login to server as the user who has audit(interactive).
2. enter some commands before returning to prompt from previous command.
-----
$ sleep 10
id
whoami
$ id
uid=101(user01) gid=1(other)
$ whoami
user01
-----
In above case, 'id' and 'whoami' are the entered commands before returning to prompt from previous command ('sleep 10').

3. check kbl command log
-----
# seaudit -kbl -sid xxxx -cmd
04 Sep 2017 03:16:08 P TRACE user01 59acf945:00000143 user01 user01 KBL input 4988 INFO : SessionCmd: sleep 10
-----

The commands entered before returning to prompt from previous command ('id' and 'whoami') are not shown.

Environment

Privileged Identity Manager 12.8, Linux endpoints

Cause

This is product limitation in current release.

Resolution

There is no workaround/solution for this at this time.
You can see the commands via other seaudit options, -exe, -pr and -rp instead of -cmd.

Powered by Wolken Software