How to enable and use the Keyboard Logger

Document ID : KB000100271
Last Modified Date : 19/06/2018
Show Technical Document Details
I want to test Keyboard Logger on an Unix Endpoint.
What are the steps to do so?
o enable the Keyboard Logger (available for unix only)

-> in seos.ini set
    kbl_enabled = yes
-> in a selang submit for the user activites to be recorded
    AC> exu myuser audit(interactive)
-> login as myuser in a supported shell and submit some commands

-> with auditor privileges execute
    # seaudit -kbl
-> this returns the session id (e.g. 709)
-> to view the actual recorded data run
    # seaudit -kbl -sid 709 -pr

If you are adding a login shell to the system at a later time please make sure to follow these steps:
-> confirm /etc/shells is referencing the actual binary file of the shell (not the symlink to it), e.g.

-> confirm the user profile is referencing the actual binary file of the shell (not the symlink to it) as login shell, e.g.
    AC> exu myuser audit(interactive) unix(shellprog(/bin/ksh93))

-> reload the seos kernel module and rebuild the look aside database, e.g. using these commands
  # secons -sk
  # SEOS_load -u
  # seload
  # sebuildla -a
Additional Information:
-> the KBL is not a full keyboard logger, it merely forwards the strings entered in an interactive shell to the kbl.audit file
he following shells are supported: bash, tcsh, csh, ksh, jsh, rsh, ash, zsh
    Please make sure the shell you use is listed accordingly in /etc/shells

    (if you are facing issues please confirm the above steps in a Linux box with a bash)

Please also see these Articles for further details and additional use case: