TTY Auditing User Keystrokes

Hello I've managed to get Auditbeats working a remote server and I have enabled user keystrokes

But I'm a bit lost in finding the entries showing the keystrokes when using the server as a user.

Do i need to need to point the audit logs or enable a setting in the module?

1 Like

I'd encourage you to look at the execve as an audit_rule in the auditd section. TTY auditing keystrokes is great but it can capture secrets and also has gaps with a bash aliases. execve logs show what actually executes which is pure gold.

do you have an example of using execve as an audit_rule?

Many Thanks

Auditbeat includes an example rule that monitors execve. You should see that in /etc/auditbeat/audit.rules.d/sample-rules.conf.disabled. Any files in that directory ending in .conf should get loaded automatically with the default config. That file is in Github.