key_filter.4 (2012 03)
k
key_filter(4) key_filter(4)
after the line of input that triggered keystroke logging.
If a value of
dflt is specified, the keystroke module logs all standard input following the line
of input that triggered keystroke logging until the session ends.
Note: Other than the limit imposed by the
KEY_STROKE_LOGSIZE
parameter in
/etc/rbac/rbac.conf
, no limit is placed on the number of output characters logged and
that are associated with the standard input following the line of input that triggered keystroke
logging.
Filestream
Specifies whether only the input stream (stdin) or both the input stream and the two output
streams (stdout and stderr) are logged.
The valid values for this field are:
ks_stdin Specifies that only the standard input stream is logged.
ks_all Specifies that the standard input stream, as well as the standard output and
the standard error streams are logged.
Note: The maximum number of standard output and standard error charac-
ters logged per input line that proceeds a pattern match is governed by the
KEY_STROKE_MAX_OUTPUT_SAVED
parameter in
/etc/rbac/rbac.conf
. No limit is imposed on the number of standard
output and standard error characters logged for input and entered after a pat-
tern match triggers keystroke logging.
EXAMPLES
The following entry is preceded by a comment and sets the keystroke policy to log the input and output of
all user sessions.
# Log all users’ input and output
ks_all
The following entry is preceded by a comment line and sets the keystroke policy to log the input of all
user sessions but not the corresponding output.
# Log all users’ input
ks_stdin
Any of the following three entries can be used to set the keystroke policy to log all standard input, stan-
dard output, and standard error for any session for user forrest. The first entry uses the special case
single star (*) character, while the other two entries contain regular expressions that also match any line.
Because the PatternTrigger string results in all input and output being logged, the BackwardCount and
ForwardCount fields are ignored.
forrest:*:dflt:dflt:ks_all
forrest:.*:dflt:dflt:ks_all
forrest:ˆ.*$:dflt:dflt:ks_all
The following entry sets the keystroke policy to log a line of input entered by user ciera that contains
the mount string, as well as up to 100 standard input characters preceding the appearance of the
mount string and up to 250 standard input characters entered immediately after. The corresponding
standard output or standard error is not logged.
ciera:mount:100:250:ks_stdin
Note: There is no semantic interpretation of the regular expression in the PatternTrigger field. In
the example above, keystroke logging is triggered when a user executes the mount(1m) command
using either a full or relative pathname to the command. However, keystroke logging is also
trigggered when a user enters a command such as man 1m mount , as well as when the mount
command is executed without entering the mount string (i.e., execute a symbolic link to the
/usr/sbin/mount instead).
The following entry sets the keystroke policy to log a line of input entered by a user whose primary group
is
adm and contains either the useradd, usermod or userdel string. In addition, up to the default
1024 number of standard input characters preceding the appearance of the useradd, usermod or
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: March 2012