Previous Topic: Defining the Audit Events That CA Access Control Writes to the Audit Log

Next Topic: How CA Access Control Determines the Audit Mode for a User

Endpoint Administration Guide for UNIXAuditing EventsHow User Session Logging Works

How User Session Logging Works

User session logging lets you trace user activities on the endpoint, replay the sessions, and view the commands the user entered during that session.

The session logger logs input for all programs listed in the /etc/shells file. For example, if /usr/bin/passwd is listed in /etc/shells and you use passwd to change your password, the seaudit utility displays your changed password when you display the session logs. We recommend that you review the /etc/shells file before you implement session logging.

The following process explains how user session logging works:

  1. Install CA Access Control with the Keyboard Logger option enabled.

    Customize the CA Access Control parameters file to enable Keyboard Logger.

    Note: You can enable Keyboard Logger after installation in the seos.ini file.

  2. Start CA Access Control.

    Verify that the Keyboard Logger daemon, KBLAudMngr, is running. Use the issec utility to view the status of CA Access Control daemons.

  3. Assign the INTERACTIVE property to the users that you want to trace to enable session logging. For example:

    CA Access Control enables session logging for the user account.

  4. When a user logs into the endpoint, CA Access Control begins to record the user session. When the user logs out of the endpoint, the session ends.
  5. CA Access Control saves the recorded sessions in the kbl.audit log file. The file is located in the following directory: 
    /opt/CA/AccessControl/log
  6. Use the seaudit utility with the -kbl command to display the contents of the kbl.audit log file. For example: 
    ./seaudit -kbl -sid 65223 -rp

    Note: For more information about the seaudit -kbl command, see the Reference Guide. We recommend that you integrate the CA Access Control endpoint with CA Enterprise Log Manager to collect user sessions from hosts in your enterprise and generate reports. For more information about the integration with CA Enterprise Log Manager, see the Implementation Guide.