topic Re: Keystroke logging using /usr/bin/script in Operating System - HP-UX

Keystroke logging using /usr/bin/script

Neil Ashworth_1 — Thu, 13 May 2010 17:05:45 GMT

Hi, I have a security requirement to do keystroke logging for when a vendor accesses our production systems. I was all ready to use the new RBAC functionality until I read it does not support SSH. So now I am looking at using /usr/bin/script, however the documentation and man pages are sadly lacking on how to implement in a secure manner. Has anyone done this, or have a white paper I can reference? Or perhaps an even better solution?

Thanks, Neil

Re: Keystroke logging using /usr/bin/script

Prasanth V Aravind — Fri, 14 May 2010 07:24:43 GMT

Hi Neil,

i never heard about any tool which can log all key stroke. But there are some utility which will log user activities.

Power broker is a very good tool which logs all commands & command outputs. but you have to purchase license.

You can used rootsh is open tool which will do the same thing. but i never test it.

you can used hpux history to log all user commands. here with i am giving the implementation steps for this.

1. Login to server & run below commands.

cp /etc/profile /etc/profile.old.bhe
mkdir /var/adm/commandlog/
chmod 733 /var/adm/commandlog/

2. vi /etc/profile & remove old history definitions if exists.

3. Add below entry to the last for profile file.

export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')
HISTFILESIZE=5000
HISTSIZE=5000
export HISTFILE HISTSIZE HISTFILESIZE

GUdluck
Prasanth

Re: Keystroke logging using /usr/bin/script

Ishwar_1 — Fri, 14 May 2010 11:55:16 GMT

Hello Neil,

The script which i use on my system to keep track of all the keystrokes used by the user. Add this line at the bottom of the .profile file in the User Directory of whom you want to keep track.Test it may be this will help you to solve the problem.

#-------------------------------------------------------
#Tracking User Keystrokes
#

THISHOST=$(hostname|CUT -F 2-2 -d".")

#Its path where the Logs Get Generated
#---------------------------------------------------------
LOGDIR=/output/logs
LOGFILE=${THISTHOST}.${logname}.$ts
touch $LOGDIR/$LOGFILE

export PS1="[$LOGNAME:$THISHOST]: \$PWD> "

chown $LOGNAME ${LOGDIR}/${LOGFILE}
chmod 600 ${LOGDIR}/${LOGFILE}
script ${LOGDIR}/${LOGFILE}
clear
chmod 400 ${LOGDIR}/${LOGFILE}

Hope this Information will help you. In case of any further query post it or mail me on:-ishwarraja@hotmail.com

Thanks & B'Rgrds
Ishwar

Re: Keystroke logging using /usr/bin/script

Michael Sillers — Fri, 14 May 2010 14:31:07 GMT

I'm using a modification Prasanth's method to log all users commands (since only a few actually have command line access) and it's working great. Thanks Prasanth.

One caveate though - I found the .profile in the user's home directories overwrote the /etc/profile settings. You'll need to make sure the history entries are not set there.

If you're using Ishwar's method, of course, this does not apply.

Regards
Mike

Re: Keystroke logging using /usr/bin/script

Dennis Handly — Sat, 15 May 2010 02:11:49 GMT

>Mike: You'll need to make sure the history entries are not set there.

You can make the variables readonly in /etc/profile, so they can't be changed.

Re: Keystroke logging using /usr/bin/script

VK2COT — Sun, 16 May 2010 06:16:59 GMT

Hello,

I am a bit puzzled. Where did you
find the information that HP-UX keystroke
logging does not support SSH?

The manuals state:

a) Create an entry (or entries) in the PAM
configuration file (/etc/pam.conf) including
the keystroke library as a session module:

login session optional libpam_keystroke.so.1
dtlogin session optional libpam_keystroke.so.1
sshd session optional libpam_keystroke.so.1
rcomds session optional libpam_keystroke.so.1
OTHER session optional libpam_keystroke.so.1

Note that this module may be configured for
one or more services, depending on the
intended effect of the logging.

b) Enable keystroke logging in /etc/rbac/rbac.conf:

KEY_STROKE_LOGGING = 1

c) Create a keyfilter file under /etc/rbac specifying what users to log. For more
information on customizing specific policies,
see key_filter(4M).

Cheers,

VK2COT

Re: Keystroke logging using /usr/bin/script

Neil Ashworth_1 — Mon, 17 May 2010 14:12:36 GMT

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c01944073/c01944073.pdf

Section 9.6.4.1 it says

Note: The keystroke logging feature does not currently work with Secure Shell (SSH) login.

Re: Keystroke logging using /usr/bin/script

VK2COT — Mon, 17 May 2010 21:54:10 GMT

Hello,

THis is a surprise. But do not trust
the dicumentation without checking.

For another customer, I uncovered
a serious mistake in the document
about supported OS versions for
VMs on Tukwila servers.

The bottom line, it should work.
Best way, try it.

When I get a chance I will certainly do it
myself too :)

VK2COT

Re: Keystroke logging using /usr/bin/script

Neil Ashworth_1 — Tue, 18 May 2010 19:33:34 GMT

Actually I did try to use rbac keystroke logging, and had some success. I found if I just turned on logging and did not create the key filter file, then ALL user activity was logged - each user with their own unique logfile. As soon as I created a key filter file with a specific user registered, then logging stopped working. It was then that I found in the documentation that SSH was not supported, so I stopped my testing using rbac.

I suppose I could go with just 'log everyone' option, but since it is not HP supported, then that would not pass muster with mgmt.

Re: Keystroke logging using /usr/bin/script

VK2COT — Mon, 24 May 2010 06:13:42 GMT

Hello Neil,

a) Could you tell me how your
/etc/rbac/key_filter looks like?

Here is one of my examples from the labs
when I teach HP-UX courses (I am a senior
Unix instructor and architect and, yes,
I am employed by HP).

user2:/bin/ls:dflt:dflt:ks_all

b) HP-UX supports the use of keystroke
logging with SSH as long as the target
system is configured with "UseLogin yes"
in /etc/opt/ssh/sshd_config.

By default, sshd_config has "UseLogin no".

Restart SSH daemons and try again.

Cheers,

VK2COT

Re: Keystroke logging using /usr/bin/script

Gary Beckett — Wed, 28 Jul 2010 19:36:51 GMT

With respect to the /etc/rbac/key_filter file. I'm looking for the proper syntax to this file. I've read the man page on key_filter, but it does not mention the following:
1.) What is the syntax of the file if I want to capture all in/out. I don't want to specify every command possible in this file. There should be a way to capture all commands issued for a specified user. The syntax I have is
user1::dflt:dflt:ks_all
Is that correct? If I leave the second field blank will that cause all the commands to be logged?
2.) The manpage mentions that if the key_filter file exists and there are no entries in it then no logging will happen. But what is the outcome if the key_filter file does not exist?
thanks.