"Keyloggers can be a quick honeypot addition, as you evaluate
deeper-level kernel, network, disk, and binary veracity after a
suspicious security event. CERT recommends that any suspect server
be rebuilt, but system administrators are often remiss in obtaining
proof, right up until "pwnership" creates escalated reactivity
where uptime is only a dream. Every one of us knows that ownership
is equated to stability in America, right?
"Not all that glitters is gold, however: keyloggers can act as a
part of a honeypot, be a component of PCI compliance, part of
Sarbanes-Oxley (SOX) audit tools, change management or system
administration utilities - or be a part of Trojan viruses.
Certainly, a great deal of system penetration and changes are done
without using a shell (e.g., webmin, sftpd, httpd/DAV writes, and
low level binary trojans - see Snort or Autopsy).
"It's becoming more and more common to log all root keystrokes
in layers of trust and secrecy that users, developers, and even
system administrators don't immediately recognize.
"The three most often deployed keyloggers in Linux systems