Bj├Г┬╢rn,
The UAF /AUDIT flag will record a LOT of informaion. It may be worth trying it on one of your target accounts to see if it does what your auditors want.
For a keystroke log, you can pay for a commercial product, but there's a "poor man's" mechanism using two accounts.
The username the user logs in with is a captive account with no password. The login procedure issues:
$ SET HOST 0/LOG=logfile L_
using this syntax, the login starts with the username, so prompts for the password. Thus the user enters their username, then a password, possibly with some messages in between.
The L_ username needs to be at least RESTRICTED, and granted a MUST_BE_LOGGED identifier. If that identifier is present, the SYLOGIN procedure checks the source of the login and requires it to be the correct user and node, indicating that the session is being logged.
If you want to step the security up a notch, have two different nodes. One for logging, with two network adapters. Users login on one, the node then SET HOSTs through the other one to the target node. Since there's no direct path from the users to the secure node, they only way to get there is via the logging node. (just change the SET HOST 0 to SET HOST ).
Obviously you could use an IP protocol instead of SET HOST, the advantage of SET HOST is you can feed it the username - SSH can do the same) with -l.
A crucible of informative mistakes
