From owner-freebsd-questions Wed Aug 14 10:23:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4222C37B400 for ; Wed, 14 Aug 2002 10:23:39 -0700 (PDT) Received: from services.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4CC643E42 for ; Wed, 14 Aug 2002 10:23:38 -0700 (PDT) (envelope-from friar_josh@webwarrior.net) Received: from heater.vladsempire.net (12-218-27-215.client.mchsi.com [12.218.27.215]) by services.webwarrior.net (Postfix) with ESMTP id DBBC324FA4; Wed, 14 Aug 2002 12:23:43 +0000 (GMT) Subject: Re: Keylogging for a tty session From: Josh Paetzel Reply-To: friar_josh@webwarrior.net To: Peter Leftwich Cc: Jez Hancock , FreeBSD LIST In-Reply-To: <20020813230737.E27430-100000@earl-grey.cloud9.net> References: <20020813230737.E27430-100000@earl-grey.cloud9.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 14 Aug 2002 12:22:05 +0000 Message-Id: <1029327728.305.36.camel@heater.vladsempire.net> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 2002-08-14 at 03:14, Peter Leftwich wrote: > On Wed, 14 Aug 2002, Jez Hancock wrote: > > How can I effectively log all keystrokes entered by a user in a login session? > > I admire you for not asking "Is it possible to..." and asking instead "How > can I!" With *nix, there is always a way :) > > > The purpose of the exercise is to audit the changes made by a 'staff' > > member logging in on a specific account (non UID 0) and to use the logs > > for later documentation purposes. > > Is the "staff" member logging in via ssh/telnet or to the system console? > > > Currently I'm using a pretty simplistic method: > > [1:53:30] munk@munkboxen /home/munk# cat /usr/local/ircd/.login script -a ircd.scp > > using the 'script' utility to append everything to the irc.scp file > > automatically after the user logins in via the ~/.login file. > > > > However this holds the problem that to stop logging (either inadvertently or > > otherwise), the user only has to press 'ctrl-d' or type exit to stop the > > script utility from logging. > > Well I -was- going to mention this method above... > > > I can't think of an easy way of invoking the 'watch'/snp device to > > capture the data - does anyone have any similar experience with this, > > perhaps even a kernel level solution ala the snp device? > > Thanks in advance, > > Jez > > It seems like there'd be a utility to run the [current] /dev/tty*** through > the "tee" command, which would duplicate or replicate all data to a file of > your choosing, similar to a basic "cat" command. It may be tricky since > the file would have to be writeable by the user, so what you may just do is > make the directory not readable or writeable so the file could be added to > but not wiped out, (for example, the way the "rwrite" command appends a > copy of the last incoming write message to, for example, ones ~/.rwritelog > file, which in my case is chmod 622). > > The only thing I got for you is something to interject between the keyboard > driver (if it is a console issue) and the device they are viewing on > screen. > > That, or search tirelessly for a third-party snooping application. > > PS- Don't forget about the various shells' "history" built-in features! > > -- > Peter Leftwich This help? WATCH(8) FreeBSD System Manager's Manual NAME watch - snoop on another tty line SYNOPSIS watch [-cinotW] [-f snpdev] [tty] DESCRIPTION Watch allows the user to examine all data coming through a specified tty using the snp(4) device. If the snp(4) device is not available, watch will attempt to load the module (snp). Watch writes to standard output. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message