Problem
You want to capture and timestamp all keystrokes typed into a router and associate them with a particular user.
Solution
The AAA Accounting feature allows you to capture keystrokes and log them on the TACACS+ server:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-model Router1(config)#aaa accounting commands 1 default stop-only group tacacs+ Router1(config)#aaa accounting commands 15 default stop-only group tacacs+ Router1(config)#end Router1#
Discussion
The ability to capture every keystroke entered into a router is a powerful security and quality assurance feature that that is extremely useful. For instance, keystroke logging provides the ability to perform network forensic reconstruction of events. TACACS+ provides the ability to capture all keystrokes typed into your routers and log them for future reference. The TACACS+ log contains the command that was typed along with useful information, such as time and date, router name, username, originating IP address, and privilege level. Here is an example of a TACACS+ accounting record:
Fri Jan 3 11:08:47 2003 toronto ijbrown tty66 172.25.1.1 stop task_id=512 start_time=1041610127 timezone=EST service=shell priv-lvl=15 cmd=configure terminal
In this log entry, we can see that user ijbrown submitted the command configure terminal on router toronto at 11:08 on January 3, 2003. It also shows that this user accessed the router from IP address 172.25.1.1 using tty66.
To save disk space on your TACACS+ server, you may decide to log only level 15-based commands, which is done with this command:
Router1(config)#aaa accounting commands 15 default stop-only group tacacs+
Level 1 commands are generally relatively benign and pose little real threat to the security or health of the router. So logging them is less important than for level 15 commands. But we generally recommend logging all commands, if you're logging commands at all, because the level 1 commands might show useful patterns of information. Of course, you can log the commands issued at any user level by adding more aaa accounting lines and specifying the appropriate user level.
See Also
Recipe 4.6; Recipe 4.8
Router Configuration and File Management
Router Management
User Access and Privilege Levels
TACACS+
IP Routing
RIP
EIGRP
OSPF
BGP
Frame Relay
Handling Queuing and Congestion
Tunnels and VPNs
Dial Backup
NTP and Time
DLSw
Router Interfaces and Media
Simple Network Management Protocol
Logging
Access-Lists
DHCP
NAT
First Hop Redundancy Protocols
IP Multicast
IP Mobility
IPv6
MPLS
Security
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
Index