Previous Topic: Defining the Audit Events That CA ControlMinder Writes to the Audit LogNext Topic: How CA ControlMinder Determines the Audit Mode for a User

Endpoint Administration Guide for UNIXAuditing EventsHow User Session Logging Works

How User Session Logging Works

User session logging lets you trace user activities on the endpoint, replay the sessions, and view the commands that the user entered during that session.

Note: KBL uses both /etc/shells and <AC>/etc/shells.def files.

The session logger logs input for all programs that are listed in the /etc/shells and the <AC>/etc/shells.def files. For example, if /usr/bin/passwd is listed in /etc/shells and you use passwd to change your password, the seaudit utility displays your changed password when you display the session logs. We recommend that you review the /etc/shells file before you implement session logging.

Note: The seaudit -kbl command does not record -cmd for a user who login shell is /bin/sh.

Follow these steps:

  1. Install CA ControlMinder with the Keyboard Logger option enabled.

    Customize the CA ControlMinder parameters file to enable Keyboard Logger.

    Note: You can enable Keyboard Logger after installation in the seos.ini file.

  2. Start CA ControlMinder.

    Verify that the Keyboard Logger daemon, KBLAudMngr, is running. Use the issec utility to view the status of CA ControlMinder daemons.

  3. Assign the INTERACTIVE property to the users that you want to trace to enable session logging. For example:

    CA ControlMinder enables session logging for the user account.

  4. When a user logs in to the endpoint, CA ControlMinder begins to record the user session. When the user logs out of the endpoint, the session ends.
  5. CA ControlMinder saves the recorded sessions in the kbl.audit log file. The file is located in the following directory: 
    /opt/CA/AccessControl/log
  6. Use the seaudit utility with the -kbl command to display the contents of the kbl.audit log file. For example: 
    ./seaudit -kbl -sid 65223 -rp

    Note: For more information about the seaudit -kbl command, see the Reference Guide. We recommend that you integrate the CA ControlMinder endpoint with CA User Activity Reporting to collect user sessions from hosts in your enterprise and generate reports. For more information about the integration with CA User Activity Reporting, see the Implementation Guide.