Capturing User Keystrokes

Problem

You want to capture and timestamp all keystrokes typed into a router and associate them with a particular user.

Solution

The AAA Accounting feature allows you to capture keystrokes and log them on the TACACS+ server:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model 
Router1(config)#aaa accounting commands 1 default stop-only group tacacs+
Router1(config)#aaa accounting commands 15 default stop-only group tacacs+
Router1(config)#end
Router1#

Discussion

The ability to capture every keystroke entered into a router is a powerful security and quality assurance feature that that is extremely useful. For instance, keystroke logging provides the ability to perform network forensic reconstruction of events. TACACS+ provides the ability to capture all keystrokes typed into your routers and log them for future reference. The TACACS+ log contains the command that was typed along with useful information, such as time and date, router name, username, originating IP address, and privilege level. Here is an example of a TACACS+ accounting record:

Fri Jan  3 11:08:47 2003        toronto ijbrown tty66   172.25.1.1      stop    task_id=512 start_time=1041610127   timezone=EST    service=shell   priv-lvl=15     cmd=configure terminal <cr>

In this log entry, we can see that user ijbrown submitted the command configure terminal on router toronto at 11:08 on January 3, 2003. It also shows that this user accessed the router from IP address 172.25.1.1 using tty66.

To save disk space on your TACACS+ server, you may decide to log only level 15-based commands, which is done with this command:

Router1(config)#aaa accounting commands 15 default stop-only group tacacs+

Level 1 commands are generally relatively benign and pose little real threat to the security or health of the router. So logging them is less important than for level 15 commands. But we generally recommend logging all commands, if you’re logging commands at all, because the level 1 commands might show useful patterns of information. Of course, you can log the commands issued at any user level by adding more aaa accounting lines and specifying the appropriate user level.

See Also

Recipe 4.6; Recipe 4.8

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial