keystroke.5 (2012 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

keystroke(5) keystroke(5)

NAME

RBAC keystroke logging feature

DESCRIPTION

The keystroke logging feature supports the logging of terminal input (stdin) for user login sessions and,

optionally, the corresponding terminal output (stdout and stderr). This feature is conﬁgured by modifying

the

/etc/rbac/key_filter

and the /etc/rbac/rbac.conf

conﬁguration ﬁles. For details, see

key_ﬁlter (4) and rbac.conf (4).

Authorized users can modify the

/etc/rbac/key_filter

ﬁle to create a customized keystroke log-

ging policy for logging terminal input, and optionally the corresponding output, for all users or only a

subset of users based on user names, user groups, or role membership.

The

/etc/rbac/key_filter

ﬁle can be conﬁgured to log an entire session or to only start logging

when the user inputs a string that matches a regular expression string. In the latter case, a conﬁgurable

backward count and forward count impose a limit on the number of input characters directly preceding

and following the line of input that triggered keystroke logging. A conﬁgurable limit is also imposed on

the number of output characters logged for each line of input preceding the line of input that triggered

keystroke logging (see the description of the

KEY_STROKE_MAX_OUTPUT_SAVED

parameter in

rbac.conf (4)). There is no limit imposed on the number of output characters logged for each line of input

entered after the line of input that triggered keystroke logging.

The keystroke logging policy deﬁned in

/etc/rbac/key_filter

is only enforced if the

KEY_STROKE_LOGGING

parameter in /etc/rbac/rbac.conf is set to a value that enables keys-

troke logging. For details, see rbac.conf (4).

CONFIGURATION

This section describes how keystroke logging can be conﬁgured to implement a customized keystroke log-

ging policy. For a description of the syntax of individual entries in

/etc/rbac/key_filter

and

/etc/rbac/rbac.conf

, see key_ﬁlter (4) and rbac.conf (4) respectively.

To log all keystrokes (standard input) for all users, the following set of conditions must be met:

• Keystroke logging is enabled by the

KEYS_STROKE_LOGGING

parameter in

/etc/rbac/rbac.conf

• The

/etc/rbac/key_filter

ﬁle does not exist or contains only a single non-commented line

with one of the following strings:

•

ks_all (Standard input, output and error are logged)

•

ks_stdin (Only standard input is logged)

Under these conditions, there is no user-speciﬁc policy in place and all keystrokes are logged as if every

user has an individual

/etc/rbac/key_filter

entry indicating that all keystrokes are logged for

that user. If

/etc/rbac/key_filter

does not exist, then the behavior is the same as if ks_all is

speciﬁed.

If keystroke logging is not conﬁgured to log all users’ keystrokes, then the keystrokes of a speciﬁc user are

only logged under the following set of conditions:

• Keystroke logging is enabled by the

KEYS_STROKE_LOGGING parameter in

/etc/rbac/rbac.conf.

• The

/etc/rbac/key_filter ﬁle contains at least one valid entry for which the following are

both true:

• The entry is a user entry for that user, or is a group entry for that user’s primary group, or is a

role entry for a role to which that user is assigned.

• The PatternText ﬁeld (as described in the

CONFIGURATION FILE SYNTAX section in

key_ﬁlter (4)) is set to either the single wildcard character (*) or to a regular expression string

that matches characters that the user entered on standard input (i.e., the command line).

/etc/rbac/key_filter contains no valid entries for the user who logs in, then neither input nor

output streams are logged for that user session.

If a user has more than one valid entry that triggers keystroke logging, the entry listed ﬁrst determines

which conﬁguration settings described below (i.e., backward count, forward count, ﬁlestream) are used for

that session; those conﬁguration settings are in place for the remaining of the session if that entry

HP-UX 11i Version 3: March 2012 − 1 − Hewlett-Packard Company 1

Summary of content (6 pages)

PAGE 1
keystroke(5) keystroke(5) NAME RBAC keystroke logging feature DESCRIPTION The keystroke logging feature supports the logging of terminal input (stdin) for user login sessions and, optionally, the corresponding terminal output (stdout and stderr). This feature is configured by modifying the /etc/rbac/key_filter and the /etc/rbac/rbac.conf configuration files. For details, see key_filter (4) and rbac.conf (4).
PAGE 2
keystroke(5) keystroke(5) specifies a forward count set to dflt. If the entry instead specifies a positive numeric value for the forward count, then the configuration settings are no longer in effect when the specified number of stdin characters are logged; subsequent user input can then trigger additional keystroke logging according to that entry or any of the other entries that apply to that user. Other configurable keystroke logging features can be specified in the /etc/rbac/rbac.
PAGE 3
keystroke(5) keystroke(5) 200 PORT command successful. (Sat May 14 16:26:58 2011) RETR myfile 150 Opening BINARY mode data connection for myfile (39 bytes). 226 Transfer complete. (Sat May 14 16:27:01 2011) RMD myfile 550 myfile: Not a directory. (Sat May 14 16:27:05 2011) DELE myfile 550 myfile: Not owner. (Sat May 14 16:27:13 2011) QUIT 221-You have transferred 39 bytes in 1 files. 221-Total traffic for this session was 959 bytes in 2 transfers. 221-Thank you for using the FTP service on myhost.com.
PAGE 4
keystroke(5) keystroke(5) 150 Opening BINARY mode data connection for myfile (39 bytes). 226 Transfer complete. 39 bytes received in 0.006 seconds (6499 bytes/s) ftp> rm myfile 550 myfile: Not a directory. ftp> del myfile 550 myfile: Not owner. ftp> quit > See key_filter (4) for sample /etc/rbac/key_filter entries. LIMITATIONS Keystroke logging of ssh sessions is not supported for the case where both UsePAM and UseLogin are set to yes in sshd_config(5). Keystroke logging of rcmds sessions (i.e.
PAGE 5
keystroke(5) keystroke(5) NOTES Records in /var/adm/sulog appear differently when keystroke logging is enabled for a session and two or more su(1) commands are run in the same login session.
PAGE 6
(Notes) A (Notes) kA 6 Hewlett-Packard Company −1− HP-UX 11i Version 3: March 2012