• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Urban Penguin

The Urban Penguin - Linux Training

  • Home
  • About
  • Live Online Courses
  • Shop
  • RHCSA Guide
  • Programming
    • Master Editing Text Files Using VIM
    • Learn Shell Scripting with BASH
    • PERL Scripting in Linux
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • Learn C Programming using Linux and the Raspberry Pi
    • General Java Tutorials
    • Java 7 OCA Exam 1ZO-803
  • OS Tutorials
    • Red Hat and CentOS Training
      • Red Hat Enterprise Linux System Administration 1 – RH124
      • RHCSA – System Admin 2 – RH134
      • RHCE – EX294 – Automation With Ansible
    • Learning Ubuntu
    • LPI Training
      • LPI Linux Essentials
      • LPIC-1 Linux Administrator
      • LPIC-2 Certified Linux Engineer
      • LPIC-3 Senior Level Certification
        • LPIC-3 Exam 300 : Mixed Environments
        • LPIC-3 Exam 303 : Security
        • LPIC-3 Exam 304 : Virtualization and High Availability
    • Linux Technologies
      • Apache HTTPD Server
      • Learning PHP
      • Learning PUPPET
      • Learning SAMBA
      • Linux File-Systems
      • Monitoring with Nagios Core
      • MYSQL
      • openLDAP Directories on Linux
You are here: Home / Linux / LPIC-3 Exam 303 / Auditing User Keystrokes in Linux

Auditing User Keystrokes in Linux

August 23, 2018 by The Urban Penguin

Linux Audit System

Auditing User Keystrokes

The Linux Audit system can be taken further by auditing user keystrokes. This would be unusual against many user accounts but great where you want to target one or two individuals with suspicious activity. Auditing user keystrokes will first need us to enable a PAM module. We will add it to both the /etc/pam.d/system-auth and /etc/pam.d/password-auth files. These will need to be edited as root and the following line added to the end of each file:

session required pam_tty_audit.so disable=* enable=student

Adding the directive disables logging for all users except for the user named student. Both the disable and enable list take comma separated list of user names. Here we enable logging of session keystokes for the student user only.

Keystrokes are logged when a user exits a shell. The easiest way to test this is to start a new login shell for the specified user, student in my case.

$ su -l student

Now, any activity on the console will be logged when the user exits the shell. So type a few commands end then exit.

To list the keyboard activity we can use aureport:

$ sudo aureport --tty --start today
TTY Report
============================================== # date time event auid term sess comm data =============================================== 1. 23/08/18 05:26:49 416 1000 ? 2 bash "ls",<ret>,"cd Down",<tab>,<ret>,"cd",<ret>,"exit",<ret>

You can see that the user listed the directory, changed into the Downloads directory using tab completion before returning to their home directory and exiting the shell.

Now, of course, this would become huge to log everything for each user but for those users that do need to be targeted, this could prove invaluable. This may also need human resources or your legal team to approve as it could be construed as intrusive.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: LPIC-3 Exam 303

Primary Sidebar

Newest Video

The Urban Penguin On Youtube

Products

  • Complete RHCSA 8 Study Guide Complete RHCSA 8 Study Guide £5.99
  • SELinux Guide SELinux Fundamentals in Red Hat Enterprise Linux 8 £1.99
  • Managing POSIX ACLS in Linux £0.99
  • Managing Linux File Permissions £0.99
  • Kernel Module Administration in Linux £0.99

Categories

Pages

  • About The Urban Penguin
  • Contact Us
  • Shop
    • Basket
    • Checkout
    • My Account
  • LPI Training from The Urban Penguin
    • Live and Pluralsight hosted courses
    • Complete Linux Essentials
    • LPIC-3 Senior Level Certification
      • LPIC-3 Exam 300 : Mixed Environments
      • LPIC-3 Exam 303 : Security
      • LPIC-3 Exam 304 : Virtualization and High Availability
    • LPIC-2 Certified Linux Engineer
    • LPIC-1 Linux Administrator
    • LPI Linux Essentials for Raspberry Pi
    • LPI Linux Essentials
  • Operating System Tutorials
    • Linux Foundation Training
    • Solaris 11 OCA 1ZO-821
    • Learning Ubuntu
    • Learning SUSE
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
      • RHCSA – System Admin 1 – RH124
      • RHCSA – System Admin 2 – RH134
  • Scripting – the power of repetition!
    • Java 7 OCA Exam 1ZO-803
    • General Java Tutorials
    • Learn C Programming using Linux and the Raspberry Pi
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • PERL Scripting in Linux
    • Learn Shell Scripting with BASH
    • Master Editing Text Files Using VIM
  • Linux Technologies
    • Learning PUPPET
    • openLDAP Directories on Linux
    • Monitoring with Nagios Core
    • Linux File-Systems
    • Learning SAMBA
    • Apache HTTPD Server
    • Learning PHP
    • MYSQL
  • OpenStack
    • Pluralsight
    • Udemy
    • Raspberry Pi Tutorials
    • Citrix Videos
  • Online Instructor-led Courses
    • Red Hat Enterprise Linux System Administration 1 – RH124
    • SELinux Masterclass
    • Bash Scripting Masterclass
    • Nftables Masterclass

© 2021 The Urban Penguin · All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok