Date: 14 Aug 2002 12:22:05 +0000 From: Josh Paetzel <friar_josh@webwarrior.net> To: Peter Leftwich <Hostmaster@Video2Video.Com> Cc: Jez Hancock <jez.hancock@munkboxen.mine.nu>, FreeBSD LIST <FreeBSD-Questions@FreeBSD.Org> Subject: Re: Keylogging for a tty session Message-ID: <1029327728.305.36.camel@heater.vladsempire.net> In-Reply-To: <20020813230737.E27430-100000@earl-grey.cloud9.net> References: <20020813230737.E27430-100000@earl-grey.cloud9.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2002-08-14 at 03:14, Peter Leftwich wrote:
> On Wed, 14 Aug 2002, Jez Hancock wrote:
> > How can I effectively log all keystrokes entered by a user in a login session?
>
> I admire you for not asking "Is it possible to..." and asking instead "How
> can I!" With *nix, there is always a way :)
>
> > The purpose of the exercise is to audit the changes made by a 'staff'
> > member logging in on a specific account (non UID 0) and to use the logs
> > for later documentation purposes.
>
> Is the "staff" member logging in via ssh/telnet or to the system console?
>
> > Currently I'm using a pretty simplistic method:
> > [1:53:30] munk@munkboxen /home/munk# cat /usr/local/ircd/.login script -a ircd.scp
> > using the 'script' utility to append everything to the irc.scp file
> > automatically after the user logins in via the ~/.login file.
> >
> > However this holds the problem that to stop logging (either inadvertently or
> > otherwise), the user only has to press 'ctrl-d' or type exit to stop the
> > script utility from logging.
>
> Well I -was- going to mention this method above...
>
> > I can't think of an easy way of invoking the 'watch'/snp device to
> > capture the data - does anyone have any similar experience with this,
> > perhaps even a kernel level solution ala the snp device?
> > Thanks in advance,
> > Jez
>
> It seems like there'd be a utility to run the [current] /dev/tty*** through
> the "tee" command, which would duplicate or replicate all data to a file of
> your choosing, similar to a basic "cat" command. It may be tricky since
> the file would have to be writeable by the user, so what you may just do is
> make the directory not readable or writeable so the file could be added to
> but not wiped out, (for example, the way the "rwrite" command appends a
> copy of the last incoming write message to, for example, ones ~/.rwritelog
> file, which in my case is chmod 622).
>
> The only thing I got for you is something to interject between the keyboard
> driver (if it is a console issue) and the device they are viewing on
> screen.
>
> That, or search tirelessly for a third-party snooping application.
>
> PS- Don't forget about the various shells' "history" built-in features!
>
> --
> Peter Leftwich
This help?
WATCH(8) FreeBSD System Manager's Manual
NAME
watch - snoop on another tty line
SYNOPSIS
watch [-cinotW] [-f snpdev] [tty]
DESCRIPTION
Watch allows the user to examine all data coming through a
specified tty using the snp(4) device. If the snp(4) device is not
available, watch will attempt to load the module (snp). Watch writes to
standard output.
Josh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1029327728.305.36.camel>