CHAPTER28

Monitoring and Auditing User Keystrokes

In most large shops there is a need, at least occasionally, to monitor a user's actions. Thanks to Sarbanes-Oxley requirements on publicly traded United States companies for auditing, we are now required to audit the keystrokes of anyone with root access to the system or other administration type accounts, such as oracle. Contractors on site can pose a particular security risk. Typically when a new application comes into the environment, one or two contractors are on site for a period of time for installation, troubleshooting, and training personnel on the product. I always set up contractors in sudo (see Chapter 23, “Creating a System-Configuration Snapshot,” for more details on sudo) to access the new application account, after I change the password. sudo tracks only the commands that were entered with a date/time stamp. The detail of the command output from stdout and stderr does not get logged so you do not have a complete audit trail of exactly what happened if a problem arises.

To get around this dilemma you can track a user's keystrokes from the time he or she accesses a user account until the time he or she exits the account, if you have the space for the log file. This little feat is accomplished using the script command. The idea is to use sudo to kick off a shell script that starts a script session. When the script session is running, all of the input and output on the terminal is captured in the log file. Of course, ...