Previous Topic: Defining the Audit Events That CA ControlMinder Writes to the Audit Log

Next Topic: How CA ControlMinder Determines the Audit Mode for a User

Endpoint Administration Guide for UNIXAuditing EventsHow User Session Logging Works

How User Session Logging Works

User session logging lets you trace user activities on the endpoint, replay the sessions, and view the commands the user entered during that session.

The session logger logs input for all programs listed in the /etc/shells and the <AC>/etc/shells.def files. For example, if /usr/bin/passwd is listed in /etc/shells and you use passwd to change your password, the seaudit utility displays your changed password when you display the session logs. We recommend that you review the /etc/shells file before you implement session logging.

Follow these steps:

  1. Install CA ControlMinder with the Keyboard Logger option enabled.

    Customize the CA ControlMinder parameters file to enable Keyboard Logger.

    Note: You can enable Keyboard Logger after installation in the seos.ini file.

  2. Start CA ControlMinder.

    Verify that the Keyboard Logger daemon, KBLAudMngr, is running. Use the issec utility to view the status of CA ControlMinder daemons.

  3. Assign the INTERACTIVE property to the users that you want to trace to enable session logging. For example:

    CA ControlMinder enables session logging for the user account.

  4. When a user logs into the endpoint, CA ControlMinder begins to record the user session. When the user logs out of the endpoint, the session ends.
  5. CA ControlMinder saves the recorded sessions in the kbl.audit log file. The file is located in the following directory: 
    /opt/CA/AccessControl/log
  6. Use the seaudit utility with the -kbl command to display the contents of the kbl.audit log file. For example: 
    ./seaudit -kbl -sid 65223 -rp

    Note: For more information about the seaudit -kbl command, see the Reference Guide. We recommend that you integrate the CA ControlMinder endpoint with CA Enterprise Log Manager to collect user sessions from hosts in your enterprise and generate reports. For more information about the integration with CA Enterprise Log Manager, see the Implementation Guide.