Keystroke logging

Answered Question
Sep 28th, 2006
User Badges:

Using ACS and tacacs+ can I record the keystrokes users type when they enter commands on a device such as a router or switch?

Correct Answer by pbunet about 10 years 10 months ago

Yes , you can record whatever commands a user has run on the Cisco IOS box . For this you need to firstly configure command authorization on the IOS device along with the accounting. Below are the commands that you need.


aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-autheticated

aaa authorization commands 0 default group tacacs if-authenticated

aaa authorization commands 1 default group tacacs if-authenticated

aaa authorization commands 15 default group tacacs if-authenticated

aaa accounting commands 0 default group tacacs

aaa accounting commands 1 default group tacacs

aaa accounting commands 15 default group tacacs

tacacs-server host x.x.x.x ket


We also need to configure command authorization in ACS server using the below link ( Note : this link show the sample configuration of ACS using PIX but you can configure the IOS devices similarly)


http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7cb.html


Once we have configured the ACS and the IOS devices you can check the commands run by users in ACS by going to Reports & Activities > Tacacs admin logs .



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
pbunet Fri, 09/29/2006 - 00:56
User Badges:

Yes , you can record whatever commands a user has run on the Cisco IOS box . For this you need to firstly configure command authorization on the IOS device along with the accounting. Below are the commands that you need.


aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-autheticated

aaa authorization commands 0 default group tacacs if-authenticated

aaa authorization commands 1 default group tacacs if-authenticated

aaa authorization commands 15 default group tacacs if-authenticated

aaa accounting commands 0 default group tacacs

aaa accounting commands 1 default group tacacs

aaa accounting commands 15 default group tacacs

tacacs-server host x.x.x.x ket


We also need to configure command authorization in ACS server using the below link ( Note : this link show the sample configuration of ACS using PIX but you can configure the IOS devices similarly)


http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7cb.html


Once we have configured the ACS and the IOS devices you can check the commands run by users in ACS by going to Reports & Activities > Tacacs admin logs .



Actions

This Discussion