User session logging lets you trace user activities on the endpoint, replay the sessions, and view the commands that the user entered during that session.
Note: KBL uses both /etc/shells and <AC>/etc/shells.def files.
The session logger logs input for all programs that are listed in the /etc/shells and the <AC>/etc/shells.def files. For example, if /usr/bin/passwd is listed in /etc/shells and you use passwd to change your password, the seaudit utility displays your changed password when you display the session logs. We recommend that you review the /etc/shells file before you implement session logging.
Note: The seaudit -kbl command does not record -cmd for a user who login shell is /bin/sh.
Follow these steps:
Customize the CA ControlMinder parameters file to enable Keyboard Logger.
Note: You can enable Keyboard Logger after installation in the seos.ini file.
Verify that the Keyboard Logger daemon, KBLAudMngr, is running. Use the issec utility to view the status of CA ControlMinder daemons.
eu user1 audit(interactive)
Check the Interactive box in the Audit tab of the User Properties window.
CA ControlMinder enables session logging for the user account.
/opt/CA/AccessControl/log
./seaudit -kbl -sid 65223 -rp
Note: For more information about the seaudit -kbl command, see the Reference Guide. We recommend that you integrate the CA ControlMinder endpoint with CA User Activity Reporting to collect user sessions from hosts in your enterprise and generate reports. For more information about the integration with CA User Activity Reporting, see the Implementation Guide.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|