How to enable and use the Keyboard Logger

Document ID : KB000100271
Last Modified Date : 19/06/2018
Show Technical Document Details
Introduction:
I want to test Keyboard Logger on an Unix Endpoint.
What are the steps to do so?
Instructions:
o enable the Keyboard Logger (available for unix only)

-> in seos.ini set
    kbl_enabled = yes
-> in a selang submit for the user activites to be recorded
    AC> exu myuser audit(interactive)
-> login as myuser in a supported shell and submit some commands

-> with auditor privileges execute
    # seaudit -kbl
-> this returns the session id (e.g. 709)
-> to view the actual recorded data run
    # seaudit -kbl -sid 709 -pr


Note:
If you are adding a login shell to the system at a later time please make sure to follow these steps:
-> confirm /etc/shells is referencing the actual binary file of the shell (not the symlink to it), e.g.
  ...
  /bin/ksh93
  ...


-> confirm the user profile is referencing the actual binary file of the shell (not the symlink to it) as login shell, e.g.
    AC> exu myuser audit(interactive) unix(shellprog(/bin/ksh93))

-> reload the seos kernel module and rebuild the look aside database, e.g. using these commands
  # secons -sk
  # SEOS_load -u
  # seload
  # sebuildla -a
Additional Information:
Note:
-> the KBL is not a full keyboard logger, it merely forwards the strings entered in an interactive shell to the kbl.audit file
->
he following shells are supported: bash, tcsh, csh, ksh, jsh, rsh, ash, zsh
    Please make sure the shell you use is listed accordingly in /etc/shells

    (if you are facing issues please confirm the above steps in a Linux box with a bash)

Please also see these Articles for further details and additional use case:
https://comm.support.ca.com/kb/key-logger-not-record-entered-commands/kb000009048
https://comm.support.ca.com/kb/kbl-collector/kb000042551