keystroke.5 (2012 03)
k
keystroke(5) keystroke(5)
150 Opening BINARY mode data connection for myfile (39 bytes).
226 Transfer complete.
39 bytes received in 0.006 seconds (6499 bytes/s)
ftp> rm myfile
550 myfile: Not a directory.
ftp> del myfile
550 myfile: Not owner.
ftp> quit
>
See key_filter (4) for sample /etc/rbac/key_filter
entries.
LIMITATIONS
Keystroke logging of ssh sessions is not supported for the case where both UsePAM and UseLogin are set
to
yes in sshd_config(5).
Keystroke logging of rcmds sessions (i.e.,
remsh,
rcp, rdist) is not supported.
Keystroke logging of sftp sessions is not supported because the
sftp protocol is a binary protocol that
does not allow user command input and the corresponding output of sftp sessions to be easily captured in
readable format. However, sftp sessions can be captured with syslog by specifying sftp-server (8) with
the -l option in the Subsystem section of the sshd_config(5) configuration file for sshd(8).
If keystroke logging is enabled for
ssh, then the data transferred during an sftp session is stored in a
keystroke log file. Transferring large files will stall and possibly hang the sftp session if the amount of
data being transferred exceeds the maximum size allowed for a keystroke log file, as set by the
KEY_STROKE_LOGSIZE
parameter in /etc/rbac/rbac.conf. You cannot configure keystroke log-
ging to log ssh sessions but not sftp sessions.
When logging
ftp sessions, ftp commands as entered by the user are not logged. Instead, the equivalent
internal ftp commands are logged. Also, not all ftp output is logged, such as the output from the
ls com-
mand. See the example in the EXAMPLES section above.
ftp sessions are only logged for a particular user if /etc/rbac/key_filter
is configured to always
log all users or to always log that particular user. For details, see key_filter (4).
Some commands, such as who am i and tty , do not work as expected because the user’s initial terminal at
login is not the same as the user’s terminal when the commands are run under keystroke logging. Like-
wise, the user’s initial terminal at login is captured in some files, such as
/var/adm/wtmps, while the
user’s (different) terminal used during keystroke logging is captured by other files, such as
/var/adm/sulog.
The Software Distributor (SD) Terminal User Interface (TUI) does not respond to the Enter key.
10K is the maximum total number of previously entered standard input characters saved that can later
be logged if a line of input triggers keystroke logging. The maximum number of output characters saved
and logged for each line of previously saved input is determined by the value of the
KEY_STROKE_MAX_OUTPUT_SAVED parameter in /etc/rbac/rbac.conf
.
Certain control characters entered by the user are not logged. For example, the following keystroke log
entry is logged when a user enters
cd /var/ followed by control-U (ˆU) to erase the line of input, fol-
lowed by !cat to execute the previous cat command:
(Mon Feb 28 09:01:16 2011) cd /var/!cat
In some cases, the time stamp for a previously saved line of input is no longer available, resulting in the
string (Unknown timestamp) appearing before the line of input in the keystroke log file.
In some cases, a previously saved line of input is logged but is no longer entirely available, resulting in
the string
(TRUNCATED STDIN) appearing before the truncated line in the keystroke log file. The
truncated message can also appear even if the entire line is available, depending on the value of the back-
ward count.
In some cases, not all of the output of a previously saved line of input could be saved, resulting in the
string
(TRUNCATED STDOUT/STDERR) appearing after the truncated output in the keystroke log file.
4 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: March 2012