When implemented properly, keystroke logging is a win for users, system administrators, security teams and auditors.  Users may feel like it is an invasion of privacy–it isn’t. System administrators often believe it will negatively impact performance–it won’t.  And security teams always ask if the data collected it searchable/usable–it is. Moreover, for many companies, it can be a compliance requirement.  XYGATE Access Control (XAC) brings transparent keystroke logging, as well as other features to the HPE NonStop while answering all the above questions in a way that pleases everyone.

The best way to implement keystroke logging

Keystroke Logging Print

There are many ways to implement keystroke logging, for example, screen recordings to hardware devices attached to every terminal, and to intermediate servers that accept input and pass it on. The most effective means has always been to capture the input and output as close to the system as possible. Screen recordings make text searching problematic and have large storage requirements.  Hardware devices must be attached to any tool that might interact with the system.  Intermediate systems have issues with non-repudiation, emulation and control issues.  Capturing and controlling input at the shell level directly on the target system provides a seamless and effective approach that requires no additional infrastructure. This allows for the most flexibility, tightest integration, best reportability, and 100% availability that every customer should expect.

XYGATE Access Control delivers functionality for one, some, or all users on the HPE NonStop regardless of how they access a system shell. XAC can be implemented to capture keystrokes from Guardian (TACL), OSS (ksh, bash, etc.), via telnet (hopefully over tls!), ssh or any other method. XAC keystroke logging can operate with or without Safeguard and can differentiate between a user and an alias for both reporting and control.

Does my system require keystroke logging?

If the system handles PCI data, you should be keystroke logging privileged users, at the minimum.  PCI requirements states you must implement automated audit trails for all system components to reconstruct the following events:

  • All individual user access to cardholder data.
  • All actions were taken by any individual with root or administrative privileges.

Keystroke logging is the most effective method to meet this requirement.

Because XAC keystroke logging adds negligible overhead to any session, XYPRO recommends that ALL users be keystroke logged for ALL sessions.

For users that feel that full-time keystroke logging is an invasion of privacy, they should be reminded that all NonStop resources are owned, controlled and managed by their company. All activity–certainly on production hosts–is monitored and should only be used for official purposes.

How about searching and reporting?

XAC shares the XYGATE common architecture that allows it to leverage the entire XYGATE Suite; Configuration Manager for updating the ruleset; report manager for simple reporting. Besides, it easily integrates into XYGATE Merged Audit and XYGATE SecurityOne for advanced reporting and alerting.

Reports can be configured based on time, user/alias, terminal, keyword or any other criteria. Common reports include privileged users, by session.  These reports can be archived for ease of access and the contents are in plain text to facilitate searching. For example, let us say an auditor wants to know who logged on as SUPER.SUPER on Friday, February 7, 2020, and which operations the user executed–done.  Does the auditor need to see who typed the word “PURGE” coming from a VPN connection?  The answer is Just a few clicks away.  Do they need to know if anyone accessed APP.MANAGER last week? Simple, there is an aggregate report for it already complete.

XYGATE Access Control is configured to collect all user input during any privilege escalation session.  It can be configured to collect input AND output, including block mode auditing for any user, at any time.  All audit data includes everything necessary to perform forensic investigations such as time of entry, user/alias (both escalated user and underlying user), terminal id/IP address, command, arguments/text, result, and more.  As the logs are stored in plain text, they can be compressed and/or sent off-host to Security Incident Event Manager (SIEM) or XYGATE SecurityOne for real-time threat detection via XYGATE Merged Audit.  This reduces the burden of monitoring, searching and alerting to the team that is best positioned to handle it.

Customer Success Using XAC Keystroke Logging

A NonStop customer recently encountered an issue, during a major system upgrade, which impacted business operations as well as those of several external customers. After they were unable to restore normal operations, the system upgrade was stopped and reverted to its previous state. Many hours were spent to resolve the issues and identify the root cause. It wasn’t until the next day that the root cause was discovered which increased loss of revenue and maintenance schedules.

The issue was discovered by an XAC keystroke log. The report determined that the problem was caused by human error. A technical team member had mistakenly executed an erroneous command, which impacted system communications. This customer declared that “without the XAC keystroke log report, we may have never discovered the root cause.” Armed with this vital information, this business was able to inform affected customers and reassure them that all necessary steps have been taken to make sure this type of outage will never occur again. Additionally, this NonStop customer developed training to educate employees about proper privileged account id usage.

There is no reason not to log

Administrative users hold the keys to vital information on your systems. They have the power to take action with the highest privileges on the most sensitive areas of your HPE NonStop server. To ensure no damage occurs either maliciously or inadvertently by user error, PCI DSS Requirement 10.2.2 and other compliance frameworks require that all actions taken by any user with administrative privileges must be tracked.

XYGATE Access Control comes packaged with keystroke logging functionality out of the box. The keystroke log report lists all the activities each user makes resulting in ease of compliance easy. These data-rich logs can also be forwarded to an enterprise SIEM through XYGATE Merged Audit for compliance with PCI DSS Requirement 10.2.2.

If users are hesitant or weary of keystroke logging, let them know that it is used more often to prove who did NOT do something.  The purge of a critical file by a shared user can easily be located and tracked using keystroke logs and will greatly reduce the time necessary to identify issues and provide non-repudiation.

Between compliance requirements, zero overhead, extensible reporting and the ability to record actions from all users, XYGATE Access Control is an ideal solution to meet this very necessary security requirement.