CHAPTER 28: Monitoring and Auditing User Keystrokes by Randal K. Michael

Safari, the world’s most comprehensive technology and business learning platform.

Find the exact information you need to solve a problem on the fly, or go deeper to master the technologies and skills you need to succeed

Start Free Trial

No credit card required

O'Reilly logo

CHAPTER28

Monitoring and Auditing User Keystrokes

In most large shops there is a need, at least occasionally, to monitor a user's actions. Thanks to Sarbanes-Oxley requirements on publicly traded United States companies for auditing, we are now required to audit the keystrokes of anyone with root access to the system or other administration type accounts, such as oracle. Contractors on site can pose a particular security risk. Typically when a new application comes into the environment, one or two contractors are on site for a period of time for installation, troubleshooting, and training personnel on the product. I always set up contractors in sudo (see Chapter 23, “Creating a System-Configuration Snapshot,” for more details on sudo) to access the new application account, after I change the password. sudo tracks only the commands that were entered with a date/time stamp. The detail of the command output from stdout and stderr does not get logged so you do not have a complete audit trail of exactly what happened if a problem arises.

To get around this dilemma you can track a user's keystrokes from the time he or she accesses a user account until the time he or she exits the account, if you have the space for the log file. This little feat is accomplished using the script command. The idea is to use sudo to kick off a shell script that starts a script session. When the script session is running, all of the input and output on the terminal is captured in the log file. Of course, ...

Find the exact information you need to solve a problem on the fly, or go deeper to master the technologies and skills you need to succeed

Start Free Trial

No credit card required