[Gllug] Keystroke logging

[Steve Cobrin]

On Friday 14 March 2003 12:55, Tethys wrote:
> Does anyone know of any keystoke logging facilities for Linux? I have
> a requirement to log all keystrokes of priviliged users (essentially,
> anyone doing anything as root). I'm guessing that it would need to be
> a kernel module of some kind.
>
> Note that I'm not interested in physical devices that sit between the
> machine and keyboard -- none of these machines have keyboards at all,
> and are accessed either via the network or a serial console.
>
> Tet

Ok, quick/snap answer....

In a commercial environment, I've recommended and implemented "sudo" 
combined with codes of practice on how to use it, and how not to use 
it, e.g. don't do "sudo su -" always do "sudo command". Naturally also 
identify which users abolutely need superuser access, and can they be 
restricted to a small subset of commands.

If actual keystroke logging of console access is required, "script" is 
quite useful, but curses based interfaces and commands like vi are hard 
to analyse. X based applications are difficult, unless the application 
itself supports logging.

You can switch on auditing, but the output tends to be cryptic, and not 
that useful.

Tripwire, and Aide even RPM can help identify changes to system 
configuration files, and are useful adjuncts to track changes outside 
of a proper configuration management system.

Another possibility, is to restrict superuser access to logged ssh 
connections or console server connections (conserver)

So the basic answer is, its difficult, but not be necessary, sudo should 
be sufficient to log commands, or at least give you a heads-up on who 
was doing what, when something goes wrong. 

  -- Steve

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug