Here are my thoughts on the subject:
1) Keystroke logs only kick in when you run nexec commands. Otherwise its standard rscd logging - in which case normal Reports User Activity will give this to you. This is especially useful if someone starts another shell such as ksh/bash/whatever - as it starts logging what the user does within this session. You could use the standard activity report to see who started a session and then use blkeylogman against the server to see the details.
2) I think (need to check) you can forward the keystroke logs to syslogs on a server. From here you can forward to a log server if you need to centralise them. Depends on what your idea of usable is I guess :-). Alternatively/additionally I guess as a 'hack' you could create an extended object to list the logs and run compliance to look for specific actions.
3) Probably easiest from a firewall. Alternatively just stop all telnet/ssh/ftp services. You'd always need some time of ILO access I would have thought. Would make managing Windows servers very difficult as well.
4) Also you can setup access alerts for objects. Also remember you can define audit trails and alerts in system authorizations.
On point #3 yes a iptables/ipf firewall would work.
Alternatively tcpwrappers might with BL -anyone know? If you put an entry into the /etc/services and referenced it might that not work? Red Hat should have it installed by default - not sure about other OS's.
I don't have a decent setup in order to test it for you using BL(still setting up my demo env...ugh).
If you give it a shot there should not be much to it:
Make sure you add each port/service needed by BL to the /etc/services file.
The most secure way to configure tcpwrappers is to deny everything by default.
/etc/hosts.deny should contain only the line
Then you can add services to /etc/hosts.allow as appropriate. For example
swat: 192.168.5. : severity notice
sshd: KNOWN : severity notice
ALL: LOCAL : severity notice
You do not need to restart anything after changing these files. They are reread every time a connection is made.
More info here: