Date: Wed, 14 Aug 2002 19:10:01 +0000 From: Jez Hancock <jez.hancock@munkboxen.mine.nu> To: Peter Leftwich <Hostmaster@Video2Video.Com> Cc: FreeBSD questions List <freebsd-questions@freebsd.org> Subject: Re: Keylogging for a tty session Message-ID: <20020814191001.A81327@munkboxen.mine.nu> In-Reply-To: <20020813230737.E27430-100000@earl-grey.cloud9.net>; from Hostmaster@Video2Video.Com on Tue, Aug 13, 2002 at 11:14:58PM -0400 References: <20020814015851.A79240@munkboxen.mine.nu> <20020813230737.E27430-100000@earl-grey.cloud9.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 13, 2002 at 11:14:58PM -0400, Peter Leftwich wrote: > On Wed, 14 Aug 2002, Jez Hancock wrote: > > How can I effectively log all keystrokes entered by a user in a login session? > > I admire you for not asking "Is it possible to..." and asking instead "How > can I!" With *nix, there is always a way :) :) - I'd just recited this as my daily matra: http://homepages.tesco.net/~J.deBoynePollard/FGA/ ! > > The purpose of the exercise is to audit the changes made by a 'staff' > > member logging in on a specific account (non UID 0) and to use the logs > > for later documentation purposes. > > Is the "staff" member logging in via ssh/telnet or to the system console? It's a friend logging in as the 'ircd' user via a ssh connection. > > Currently I'm using a pretty simplistic method: > > [1:53:30] munk@munkboxen /home/munk# cat /usr/local/ircd/.login script -a ircd.scp > > using the 'script' utility to append everything to the irc.scp file > > automatically after the user logins in via the ~/.login file. > > > > However this holds the problem that to stop logging (either inadvertently or > > otherwise), the user only has to press 'ctrl-d' or type exit to stop the > > script utility from logging. > > Well I -was- going to mention this method above... :) it is effective just as long as the user doesn't 'exit' the script session using 'ctrl-d' or 'exit'. I realized one other unfortunate drawback to logging via this method is that the output from a 'w' command doesn't reveal a lot about what the user is currently doing. The only info you get is that the user is running 'script -a ircd.scp' - not greatly informative! Better is 'tail -f /usr/local/ircd/ircd.scp', but still a bit messy. > > I can't think of an easy way of invoking the 'watch'/snp device to > > capture the data - does anyone have any similar experience with this, > > perhaps even a kernel level solution ala the snp device? > > Thanks in advance, > > Jez > > It seems like there'd be a utility to run the [current] /dev/tty*** through > the "tee" command, which would duplicate or replicate all data to a file of > your choosing, similar to a basic "cat" command. It may be tricky since > the file would have to be writeable by the user, so what you may just do is > make the directory not readable or writeable so the file could be added to > but not wiped out, (for example, the way the "rwrite" command appends a > copy of the last incoming write message to, for example, ones ~/.rwritelog > file, which in my case is chmod 622). This sounds interesting - a quick google has turned up some info on 'remote write' - is this the rwrite in question? Tee would be great for viewing the tty stream in real-time, any idea how I can kick it off in a way that's transparent to the user? > The only thing I got for you is something to interject between the keyboard > driver (if it is a console issue) and the device they are viewing on > screen. > > That, or search tirelessly for a third-party snooping application. Looks like this is the way to go - I'll search a bit more, all hail google. > PS- Don't forget about the various shells' "history" built-in features! :) cheers, I need to catch the keystrokes performed inside 'vi' though :( I guess at the end of the day without kernel hacking or 3rd party tools, the best bet will be just to stick with 'script' and trust the user. Many thanks for your reply. Jez To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020814191001.A81327>