Unix Keylogger

When using ObserveIT Keylogging on Unix systems, the Unix Monitor records user activity in any interactive shell running on the machine, and transfers the output data to the ITM On-Prem (ObserveIT) Application Server. On Unix machines, keylogging capabilities are always enabled.

All Unix/Linux command line activity (user input and screen output) is recorded, including the data stream to and from the terminal on which the user logged in. Commands run by scripts and underlying system commands are also captured.

In order to protect the captured data and secure the communication, it is advised that you enable HTTPS (SSL or TLS) on the traffic between the Agent and the Application Server. For details on how to enable HTTPS, see Enabling SSL/TLS on the ITM On-Prem (ObserveIT) Application Server/Web Console Server. If necessary, the SQL Server database can be encrypted by using standard SQL Server database encryption procedures.

Recording begins whenever a user starts any interactive session on the system, whether remotely (via Telnet, SSH, rlogin, and so on) or locally via a console login.

The visual replay of user sessions is provided by the ObserveIT Session Player. For details, see Unix Session Player.

On Unix systems, you can generate alerts via key logging when users enter specific Unix commands or command line parameters (arguments). For example, you can alert on a user attempt to execute an action on sensitive file names, directory names, paths, and so on. For details, see Executed Command.

Unix Keylogging Example

The following example shows how captured key logging data can be used to generate an alert on a Unix operating system.

In this example, the user types the command sudo-i to open a root shell in a Unix session. This is a risky activity as executing the sudo command from within a script enables the security privileges of super users.

When the user types the command, the text is captured by the ObserveIT keylogger.

An alert rule can be configured for this action to generate an alert when the Executed Command name is sudo and the Switch is -i, as shown in the following screenshot:

In the Unix Session Player, you can replay a video of the recorded session and see the alert details as the replay progresses. For details, see Viewing Alerts in the Session's Video.

After an alert is triggered, the end user will receive a real-time Warning Notification, as configured in the alert rule. On Unix, the Warning Notification text is written directly to the terminal output.

The following screenshot provides an example of how a Warning Notification for this example might appear to a Unix end user:

The end user cannot acknowledge the message nor respond to it with feedback. They can only clear the text message, by pressing Ctrl+L (^L).