I want to test Keyboard Logger on an Unix Endpoint.
What are the steps to do so?
o enable the Keyboard Logger (available for unix only)
-> in seos.ini set
kbl_enabled = yes
-> in a selang submit for the user activites to be recorded
AC> exu myuser audit(interactive)
-> login as myuser in a supported shell and submit some commands
-> with auditor privileges execute
# seaudit -kbl
-> this returns the session id (e.g. 709)
-> to view the actual recorded data run
# seaudit -kbl -sid 709 -pr
If you are adding a login shell to the system at a later time please make sure to follow these steps:
-> confirm /etc/shells is referencing the actual binary file of the shell (not the symlink to it), e.g.
-> confirm the user profile is referencing the actual binary file of the shell (not the symlink to it) as login shell, e.g.
AC> exu myuser audit(interactive) unix(shellprog(/bin/ksh93))
-> reload the seos kernel module and rebuild the look aside database, e.g. using these commands
# secons -sk
# SEOS_load -u
# sebuildla -a
-> the KBL is not a full keyboard logger, it merely forwards the strings entered in an interactive shell to the kbl.audit file
-> he following shells are supported: bash, tcsh, csh, ksh, jsh, rsh, ash, zsh
Please make sure the shell you use is listed accordingly in /etc/shells
(if you are facing issues please confirm the above steps in a Linux box with a bash)
Please also see these Articles for further details and additional use case: