Auditing User Keystrokes
The Linux Audit system can be taken further by auditing user keystrokes. This would be unusual against many user accounts but great where you want to target one or two individuals with suspicious activity. Auditing user keystrokes will first need us to enable a PAM module. We will add it to both the /etc/pam.d/system-auth and /etc/pam.d/password-auth files. These will need to be edited as root and the following line added to the end of each file:
session required pam_tty_audit.so disable=* enable=student
Adding the directive disables logging for all users except for the user named student. Both the disable and enable list take comma separated list of user names. Here we enable logging of session keystokes for the student user only.
Keystrokes are logged when a user exits a shell. The easiest way to test this is to start a new login shell for the specified user, student in my case.
$ su -l student
Now, any activity on the console will be logged when the user exits the shell. So type a few commands end then exit.
To list the keyboard activity we can use aureport:
$ sudo aureport --tty --start today
============================================== # date time event auid term sess comm data =============================================== 1. 23/08/18 05:26:49 416 1000 ? 2 bash "ls",<ret>,"cd Down",<tab>,<ret>,"cd",<ret>,"exit",<ret>
You can see that the user listed the directory, changed into the Downloads directory using tab completion before returning to their home directory and exiting the shell.
Now, of course, this would become huge to log everything for each user but for those users that do need to be targeted, this could prove invaluable. This may also need human resources or your legal team to approve as it could be construed as intrusive.