TTY Auditing User Keystrokes

Hello I've managed to get Auditbeats working a remote server and I have enabled user keystrokes

But I'm a bit lost in finding the entries showing the keystrokes when using the server as a user.

Do i need to need to point the audit logs or enable a setting in the module?

1 Like

I'd encourage you to look at the execve as an audit_rule in the auditd section. TTY auditing keystrokes is great but it can capture secrets and also has gaps with a bash aliases. execve logs show what actually executes which is pure gold.

do you have an example of using execve as an audit_rule?

Many Thanks

Auditbeat includes an example rule that monitors execve. You should see that in /etc/auditbeat/audit.rules.d/sample-rules.conf.disabled. Any files in that directory ending in .conf should get loaded automatically with the default config. That file is in Github.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.