HPE Community
Operating System - HP-UX
1833024 Members
2556 Online
110049 Solutions
New Discussion

Keystroke logging using /usr/bin/script

 
SOLVED
Go to solution
Neil Ashworth_1
Occasional Advisor

‎05-13-2010 10:05 AM

‎05-13-2010 10:05 AM

Keystroke logging using /usr/bin/script

Hi, I have a security requirement to do keystroke logging for when a vendor accesses our production systems. I was all ready to use the new RBAC functionality until I read it does not support SSH. So now I am looking at using /usr/bin/script, however the documentation and man pages are sadly lacking on how to implement in a secure manner. Has anyone done this, or have a white paper I can reference? Or perhaps an even better solution?

Thanks, Neil
0 Kudos
Reply
10 REPLIES 10
Prasanth V Aravind
Trusted Contributor

‎05-14-2010 12:24 AM

‎05-14-2010 12:24 AM

Solution

Re: Keystroke logging using /usr/bin/script

Hi Neil,

i never heard about any tool which can log all key stroke. But there are some utility which will log user activities.

Power broker is a very good tool which logs all commands & command outputs. but you have to purchase license.

You can used rootsh is open tool which will do the same thing. but i never test it.

you can used hpux history to log all user commands. here with i am giving the implementation steps for this.

1. Login to server & run below commands.

cp /etc/profile /etc/profile.old.bhe
mkdir /var/adm/commandlog/
chmod 733 /var/adm/commandlog/

2. vi /etc/profile & remove old history definitions if exists.

3. Add below entry to the last for profile file.

export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')
HISTFILESIZE=5000
HISTSIZE=5000
export HISTFILE HISTSIZE HISTFILESIZE


GUdluck
Prasanth
Reply
Ishwar_1
Frequent Advisor

‎05-14-2010 04:55 AM

‎05-14-2010 04:55 AM

Re: Keystroke logging using /usr/bin/script

Hello Neil,

The script which i use on my system to keep track of all the keystrokes used by the user. Add this line at the bottom of the .profile file in the User Directory of whom you want to keep track.Test it may be this will help you to solve the problem.


#-------------------------------------------------------
#Tracking User Keystrokes
#

THISHOST=$(hostname|CUT -F 2-2 -d".")

#Its path where the Logs Get Generated
#---------------------------------------------------------
LOGDIR=/output/logs
LOGFILE=${THISTHOST}.${logname}.$ts
touch $LOGDIR/$LOGFILE

export PS1="[$LOGNAME:$THISHOST]: \$PWD> "

chown $LOGNAME ${LOGDIR}/${LOGFILE}
chmod 600 ${LOGDIR}/${LOGFILE}
script ${LOGDIR}/${LOGFILE}
clear
chmod 400 ${LOGDIR}/${LOGFILE}


Hope this Information will help you. In case of any further query post it or mail me on:-ishwarraja@hotmail.com

Thanks & B'Rgrds
Ishwar
Reply
Michael Sillers
Trusted Contributor

‎05-14-2010 07:31 AM

‎05-14-2010 07:31 AM

Re: Keystroke logging using /usr/bin/script

I'm using a modification Prasanth's method to log all users commands (since only a few actually have command line access) and it's working great. Thanks Prasanth.

One caveate though - I found the .profile in the user's home directories overwrote the /etc/profile settings. You'll need to make sure the history entries are not set there.

If you're using Ishwar's method, of course, this does not apply.

Regards
Mike
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎05-14-2010 07:11 PM

‎05-14-2010 07:11 PM

Re: Keystroke logging using /usr/bin/script

>Mike: You'll need to make sure the history entries are not set there.

You can make the variables readonly in /etc/profile, so they can't be changed.
0 Kudos
Reply
VK2COT
Honored Contributor

‎05-15-2010 11:16 PM

‎05-15-2010 11:16 PM

Re: Keystroke logging using /usr/bin/script

Hello,

I am a bit puzzled. Where did you
find the information that HP-UX keystroke
logging does not support SSH?

The manuals state:

a) Create an entry (or entries) in the PAM
configuration file (/etc/pam.conf) including
the keystroke library as a session module:

login session optional libpam_keystroke.so.1
dtlogin session optional libpam_keystroke.so.1
sshd session optional libpam_keystroke.so.1
rcomds session optional libpam_keystroke.so.1
OTHER session optional libpam_keystroke.so.1

Note that this module may be configured for
one or more services, depending on the
intended effect of the logging.

b) Enable keystroke logging in /etc/rbac/rbac.conf:

KEY_STROKE_LOGGING = 1

c) Create a keyfilter file under /etc/rbac specifying what users to log. For more
information on customizing specific policies,
see key_filter(4M).

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
Neil Ashworth_1
Occasional Advisor

‎05-17-2010 07:12 AM

‎05-17-2010 07:12 AM

Re: Keystroke logging using /usr/bin/script

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c01944073/c01944073.pdf

Section 9.6.4.1 it says

Note: The keystroke logging feature does not currently work with Secure Shell (SSH) login.
0 Kudos
Reply
VK2COT
Honored Contributor

‎05-17-2010 02:54 PM

‎05-17-2010 02:54 PM

Re: Keystroke logging using /usr/bin/script

Hello,

THis is a surprise. But do not trust
the dicumentation without checking.

For another customer, I uncovered
a serious mistake in the document
about supported OS versions for
VMs on Tukwila servers.

The bottom line, it should work.
Best way, try it.

When I get a chance I will certainly do it
myself too :)

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
Neil Ashworth_1
Occasional Advisor

‎05-18-2010 12:33 PM

‎05-18-2010 12:33 PM

Re: Keystroke logging using /usr/bin/script

Actually I did try to use rbac keystroke logging, and had some success. I found if I just turned on logging and did not create the key filter file, then ALL user activity was logged - each user with their own unique logfile. As soon as I created a key filter file with a specific user registered, then logging stopped working. It was then that I found in the documentation that SSH was not supported, so I stopped my testing using rbac.

I suppose I could go with just 'log everyone' option, but since it is not HP supported, then that would not pass muster with mgmt.
0 Kudos
Reply
VK2COT
Honored Contributor

‎05-23-2010 11:13 PM

‎05-23-2010 11:13 PM

Re: Keystroke logging using /usr/bin/script

Hello Neil,

a) Could you tell me how your
/etc/rbac/key_filter looks like?

Here is one of my examples from the labs
when I teach HP-UX courses (I am a senior
Unix instructor and architect and, yes,
I am employed by HP).

user2:/bin/ls:dflt:dflt:ks_all

b) HP-UX supports the use of keystroke
logging with SSH as long as the target
system is configured with "UseLogin yes"
in /etc/opt/ssh/sshd_config.

By default, sshd_config has "UseLogin no".

Restart SSH daemons and try again.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
Gary Beckett
Occasional Advisor

‎07-28-2010 12:36 PM

‎07-28-2010 12:36 PM

Re: Keystroke logging using /usr/bin/script

With respect to the /etc/rbac/key_filter file. I'm looking for the proper syntax to this file. I've read the man page on key_filter, but it does not mention the following:
1.) What is the syntax of the file if I want to capture all in/out. I don't want to specify every command possible in this file. There should be a way to capture all commands issued for a specified user. The syntax I have is
user1::dflt:dflt:ks_all
Is that correct? If I leave the second field blank will that cause all the commands to be logged?
2.) The manpage mentions that if the key_filter file exists and there are no entries in it then no logging will happen. But what is the outcome if the key_filter file does not exist?
thanks.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.