From owner-freebsd-questions Tue Aug 13 18: 2:41 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 117E437B400 for ; Tue, 13 Aug 2002 18:02:39 -0700 (PDT) Received: from munkboxen.mine.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3601043E4A for ; Tue, 13 Aug 2002 18:02:35 -0700 (PDT) (envelope-from munk@munkboxen.mine.nu) Received: from munkboxen.mine.nu (localhost [127.0.0.1]) by munkboxen.mine.nu (8.12.5/8.12.3) with ESMTP id g7E1xVEw079273 for ; Wed, 14 Aug 2002 01:59:31 GMT (envelope-from munk@munkboxen.mine.nu) Received: (from root@localhost) by munkboxen.mine.nu (8.12.5/8.12.3/Submit) id g7E1wwPN079272 for freebsd-questions@FreeBSD.ORG; Wed, 14 Aug 2002 01:58:58 GMT Date: Wed, 14 Aug 2002 01:58:51 +0000 From: Jez Hancock To: freebsd-questions@FreeBSD.ORG Subject: Keylogging for a tty session Message-ID: <20020814015851.A79240@munkboxen.mine.nu> Mail-Followup-To: freebsd-questions@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG How can I effectively log all keystrokes entered by a user in a login session? The purpose of the exercise is to audit the changes made by a 'staff' member logging in on a specific account (non UID 0) and to use the logs for later documentation purposes. Currently I'm using a pretty simplistic method: [1:53:30] munk@munkboxen /home/munk# cat /usr/local/ircd/.login script -a ircd.scp using the 'script' utility to append everything to the irc.scp file automatically after the user logins in via the ~/.login file. However this holds the problem that to stop logging (either inadvertently or otherwise), the user only has to press 'ctrl-d' or type exit to stop the script utility from logging. I can't think of an easy way of invoking the 'watch'/snp device to capture the data - does anyone have any similar experience with this, perhaps even a kernel level solution ala the snp device? Thanks in advance, Jez To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message