XAC: How to configure keystroke auditing for TACL SSH sessions

XAC: How to configure keystroke auditing for TACL SSH sessions

Use the following steps to configure XAC auditing for SSH.

Add the XAC command.

The XAC command requires the following keywords to be included.

USER_IGNORED 
START_LOGGED_ON
USER_SWITCH SAFEGUARD_PRIVLOGON  

Note: If XYGATE User Authentication (XUA) is running on the NonStop server, it will need a UAGROUP definition in the UAACL 
XUA: How to enable safeguard-privlogon.

Example:

  COMMAND AUDITED-TACL-SSH
  DESCRIPTION "Keystroke audited TACL over SSH"
      USER 255,255
      ACL $EVERYONE
      OBJECT $SYSTEM.SYSNN.TACL
      USER_IGNORED
      START_LOGGED_ON
      ALIAS_ALL_PROCESSES
      ALIAS "O "  "< < OBEY "
      ALIAS "OBEY " "< < OBEY "
      ALIAS "O$"  "< < OBEY $"
      ALIAS "O\"  "< < OBEY \"
      NULLNULLSTOP
      EXECUTEHANGUP
      CHECKCONNECTION 1000 250
      STOPONERROR 60,66,140,190,191
      DONOTSTOP $*.*.PATHTCP2
      BLANKPASSWORD
      TRACKVOLUME
      TRACKUSERID
      FC
      FCPROMPT "> "
      OPENSBYOBJECTS \*.$*.*.*
      TIMEOUT 1800
      USER_SWITCH SAFEGUARD_PRIVLOGON
      INPUT "LOAD/KEEP 1/$SYSTEM.XYGATEAC.LOADXOA"
      INPUT "sink [#history/reset/]"

Add Safecom DISKFILE record

XAC: How to add SAFEGUARD_PRIVLOGON for an XAC command.

Add the SSH service and set ELP_OBJECT

Example:

TACL> RUN $SYSTEM.ZSSH.STNCOM $ZPTY
% ADD SERVICE TACLAUD, TYPE DYNAMIC, PROG $SYSTEM.XYGATEAC.XYGATEAC, &
PARAM "AUDITED-TACL-SSH", LOGON REQ, MENU HIDDEN
% START SERVICE TACLAUD
%ELP_OBJECT ELP

Add or alter the SSH user.

TACL> RUN $SYSTEM.ZSSH.SSHCOM $SSH00

% ADD USER SYSTEM.OPERATOR,CI-PROGRAM *MENU* TACLAUD FORCE
or
% ALTER USER SYSTEM.OPERATOR,CI-PROGRAM *MENU* TACLAUD FORCE

If this article did not provide a solution, please open a case with our support team by sending an email message to support@xypro.com.
 






    • Related Articles

    • XAC: How to configure keystroke auditing for OSS SSH sessions

      Use the following steps to configure XAC auditing for SSH. Add the XAC command. The XAC command requires the following keywords to be included. USER_IGNORED START_LOGGED_ON USER_SWITCH SAFEGUARD_PRIVLOGON Note: If XYGATE User Authentication (XUA) is ...
    • XAC: How to configure XAC TACLs for static SSH windows

      Add a static service via the SSH STNCOM utility Example: STNCOM $<process name> (Where $<process name> is the name of a valid STN process, e.g. $ZPTY ADD SERVICE AUDTACL, TYPE STATIC 2. The service added in step #1 will need several static windows ...
    • XAC: Non-SSH TACL Sessions Timing Out

      Check the Timeout Value setting for the telserv process: 1. SCF 2. INFO PROCESS $<telserv process>, DETAIL (where $<telserv process> is the telserv process that started the session, e.g. $ZTN0) Example: 3-> info process $ztn0,detail TELSERV Detailed ...
    • XAC: Hanging XAC TACL session filling audit logs

      The STOPONERROR command should be added to the ACACL for commands that spawn TACL sessions. The default STOPONERROR command is: STOPONERROR 60,66,140,190,191 This handles the most common scenarios that would leave hanging sessions but, more can be ...
    • How to make XAC work with NSDEE

      XAC 6.25 or higher is required for XAC and NSDEE. This is because the NSDEEREG file is included with this version and is required for NSDEE support when telnet or SSH is configured to use XAC. To configure NSDEE with XAC is installed, proceed as ...