Technology and More: How to capture user keystrokes from your router

Sometimes it could be idea to capture and timestamp all keystrokes typed into a router and associate them with a particular user. This can help you with the forensics part.

The AAA accounting feature allows you to capture keystrokes and log them on the TACACS+ server:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model                     
Router1(config)#aaa accounting commands 1 default stop-only group tacacs+
Router1(config)#aaa accounting commands 15 default stop-only group tacacs+
Router1(config)#end
Router1#

The ability to capture every keystroke entered into a router is a powerful security and quality assurance feature that is extremely useful. For instance, keystroke logging is extremely useful in forensic reconstruction of network events. TACACS+ provides the ability to capture all keystrokes typed into your routers and log them for future reference. The TACACS+ log contains the command that was typed, along with other useful information such as time and date, router name, username, originating IP address, and privilege level. Here is an example of a TACACS+ accounting record:

Fri Jan  3 11:08:47 2003        toronto ijbrown tty66   172.25.1.1      
stop    task_id=512 start_time=1041610127   timezone=EST    service=shell   
priv-lvl=15     cmd=configure terminal <cr>

In this log entry we can see that user ijbrown submitted the command configure terminal on router toronto at 11:08 on January 3, 2003. It also shows that this user accessed the router from IP address 172.25.1.1 using tty66.

To save disk space on your TACACS+ server, you may decide to log only level 15-based commands, which is done with this command:

Router1(config)#aaa accounting commands 15 default stop-only group tacacs+

Level 1 commands are generally relatively benign and pose little real threat to the security or health of the router. So logging them is less important than for level 15 commands. But we generally recommend logging all commands if you're logging commands at all because the level 1 commands might show useful patterns of information. You can also log the commands issued at any other user level by adding more aaa accounting lines and specifying the appropriate user level.