topic Re: Log the keystoke from remote access in Operating System - OpenVMS

Log the keystoke from remote access

Kitti Thanapuasuwan — Sat, 03 Apr 2004 08:11:26 GMT

Is there any way to log all the keystoke from the Remote terminal? Sometimes I need support from vendor. We allow them to connect via modem thru DecServer. For security purpose all the activity they did have to record.

TIA

Re: Log the keystoke from remote access

Hein van den Heuvel — Sat, 03 Apr 2004 10:39:18 GMT

I believe there are 3rd party products in this space. The best VMS native tool would probably be SET HOST /LOG.
Maybe can point the vendor to a relatively easy, captive, guest account which then prompts them for a sort-of-secure real logging from a script with set host/log?!

fwiw,
Hein.

Re: Log the keystoke from remote access

Jan van den Ende — Sat, 03 Apr 2004 12:33:08 GMT

I second Hein.

Since we have NO DECnet connections to the outside world (network guys can't or won't handle it, regrettably) it is very easy to distinguish in LOGIN.COM between an outside (FTP) and a local (DECnet) remote login.
If FTP, then SET HO 0/LOG= does the trick. And the LOGfile is at a location that is protected by an ACL that is DISabled on DECnet login.
Of course LOGIN.COM has a security alarm.

I think you will be able to adapt this idea to your local needs.

Re: Log the keystoke from remote access

Martin P.J. Zinser — Sat, 03 Apr 2004 16:42:50 GMT

Hi,

DetectiveAO from Pointsecure ( http://www.pointsecure.com/sysdetao.htm ) seems to be a product that fills your request.

Greetings, Martin

Re: Log the keystoke from remote access

Mike Naime — Sun, 04 Apr 2004 22:11:37 GMT

We use PEEK & SPY. I forget the vendor for it.

I have a DS10 that is my firewall/gateway for all remote access into my VMS servers. All activity is logged at the same source for the license cost of one DS10. This is also my DSNLINK system, and Consoleworks system. So, when Compaq/HP connect to this server, I have logs of the activity, and I can monitor (Peek) what they are doing. This is especially helpful when you are trouble shooting an issue and you need to discuss what is scrolling by on the console of a system.

The SPY function allows you to takeover their session and even lock their keyboard input.

Re: Log the keystoke from remote access

John Gillings — Sun, 04 Apr 2004 23:14:29 GMT

If you don't want to pay for a 3rd party solution, there's a relatively simple mechanism you can use to keep logs of a particular user.

You need 2 usernames for the user. The first is captive and has no password. The LOGIN.COM just does:

$ SET HOST/LOG=filespec 0
second-username

the user only enters a password at the second login. This second account is restricted and does a check on login that the "remote" user and node are
the first account (rejecting any logins that aren't). This should be done from SYLOGIN.COM. Simplest approach is to grant an identifier (say "SECURE_USER") to mark users who must login this way.

If you have many users, then call the first user something like "SECURE" then have the user enter their actual username/password to the second. They will see something like:

Username: SECURE
WARNING - All activity will be logged
Username: VENDOR
Password: password

The truly paranoid will dedicate a system to the "SECURE" account. External logins will be directed to it via a private subnet, and SET HOST to the internal network. All logins will be checked that they originate from the logging system.

Re: Log the keystoke from remote access

Mobeen_1 — Tue, 06 Apr 2004 01:07:37 GMT

Kitti,
I would advise that you explore ControlIT and SupportIT from RAXCO. I have been using these products for years and they are pretty cool. They allow you to view your users screen, help you to gain control of their screens and so on. You can get additional info from the following site
http://www.raxco.com/products/downloadit/vms_download.cfm

In case you are not willing to spend on this software, then you may have to explore some VMS native ways of logging things like
set h/log and so on

regards
Mobeen