Recording keystrokes
Privilege Manager only generates a keystroke log when the policy server accepts a command and keystroke logging is enabled in the policy. When the policy server accepts a command, Privilege Manager records the keystrokes and stores them on the policy server. If the policy server rejects a command, Privilege Manager does not record keystrokes nor does it generate a log.
To generate a keystroke log
-
Log into the host on which the Privilege Manager software is installed as a non-privileged user specified in the policy.
-
At the command prompt, enter:
sudo bash
Enter your password.
When you enter sudo bash, it opens a new shell.
-
At the new shell's command prompt, enter the following lines:
echo "This is fun."
echo "My keystrokes are being recorded"
whoami
id
Note: For a fun demonstration, type echo"This is a mistake" and then backspace over a mistake and enter fixed. When you replay the keystroke log you will see that it records every keystroke!
-
Enter exit to close the bash shell.
It records every keystroke after you enter sudo until you enter exit.
You are now ready to replay your keystroke log from the mangement console.
Listing events and replaying keystroke logs
Keystroke logs are related to events. When you run a command, such as sudo whoami, the policy server either accepts or rejects the command based on the rules in the policy. When the policy server accepts the command, it creates an event and a corresponding keystroke log. If it rejects the event, it does not create a keystroke log. In order to view a keystroke log, you must first list events.
Note: To record and replay keystroke logs, you must log in either as the supervisor or an Active Directory account with rights to audit the policy file; that is, an account in the Audit Sudo Policy or Audit PM Policy role.
To list events and replay keystroke logs
-
From the mangement console, navigate to Policy | Event Logs.
Note: You can also access Event Logs from these context menus:
- From the host list on the All Hosts view, right-click a host name and choose Find event logs.
- From the console All Local Users tab, right-click a user name and choose Find event logs.
- From a host's properties Users tab, right-click a user name and choose Find event logs.
- From the console Active Directory tab, right-click an AD object name and choose Find event logs.
-
Select options in the search controls on the Find Event Logs pane, and click Find.
For example, you can search for all events logged for a particular user, or all events logged on a particular host, or you can find events logged during a specific date and time.
-
Click the Replay keystroke log button next to a listed event to load the log for replay.
A Replay Log tab displays.
-
Click the Play button () to replay the log.
Replay log controls
To use the replay log controls
- Click , the Play button, to start or pause the log replay.
- Click , the Step Forward button, to step forward through the keystrokes.
Note: The Step Forward and Step Backwards buttons are not enabled while the log is replaying.
- Click , the Step Backwards button, to step backwards through the keystrokes.
- Click , the Stop button, to stop the replay and reset the log back to the beginning.
- Click , the Replay Speed button, to change the speed of the replay. Clicking this button repeatedly steps through speed selections of 1 to 5 times the normal speed.
- Click , the Text View button, to display the entire replay log as text without replaying it.
Note: To close a text view of a log, click the Text View button again.
Reporting
Management Console for Unix enables administrators to quickly and easily provide auditors with granular reports on Unix identity information, including the highly desirable assessment of which Active Directory user can authenticate on specific Unix systems. By consolidating the generation and viewing of reports within the console, Management Console for Unix reduces the time and effort required to create key reports that traditionally required multiple collections, data collation, and manual processes across multiple Unix systems.
The topics in this section explain how to export reports for the hosts managed through the mangement console. It also provides a description of the reports available on the Reporting tab.