AU-14(2) — Capture and Record Content

Capture and record the content of user sessions — the actual commands, files accessed, and data viewed — not just metadata about the session.

Example 1: Enable PowerShell transcription via GPO at Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → "Turn on PowerShell Transcription". Set the output directory to a central file share. Every PowerShell session's complete input and output is saved as a text file.

Example 2: In Linux, use the script command or configure auditd with -w /usr/bin/bash -p x -k shell_use to capture shell session activity. For SSH sessions, configure ForceCommand in sshd_config to wrap sessions with the script command, creating a typescript of the entire session.