Date: Tue, 13 Aug 2002 23:14:58 -0400 (EDT) From: Peter Leftwich <Hostmaster@Video2Video.Com> To: Jez Hancock <jez.hancock@munkboxen.mine.nu> Cc: FreeBSD LIST <FreeBSD-Questions@FreeBSD.Org> Subject: Re: Keylogging for a tty session Message-ID: <20020813230737.E27430-100000@earl-grey.cloud9.net> In-Reply-To: <20020814015851.A79240@munkboxen.mine.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 14 Aug 2002, Jez Hancock wrote: > How can I effectively log all keystrokes entered by a user in a login session? I admire you for not asking "Is it possible to..." and asking instead "How can I!" With *nix, there is always a way :) > The purpose of the exercise is to audit the changes made by a 'staff' > member logging in on a specific account (non UID 0) and to use the logs > for later documentation purposes. Is the "staff" member logging in via ssh/telnet or to the system console? > Currently I'm using a pretty simplistic method: > [1:53:30] munk@munkboxen /home/munk# cat /usr/local/ircd/.login script -a ircd.scp > using the 'script' utility to append everything to the irc.scp file > automatically after the user logins in via the ~/.login file. > > However this holds the problem that to stop logging (either inadvertently or > otherwise), the user only has to press 'ctrl-d' or type exit to stop the > script utility from logging. Well I -was- going to mention this method above... > I can't think of an easy way of invoking the 'watch'/snp device to > capture the data - does anyone have any similar experience with this, > perhaps even a kernel level solution ala the snp device? > Thanks in advance, > Jez It seems like there'd be a utility to run the [current] /dev/tty*** through the "tee" command, which would duplicate or replicate all data to a file of your choosing, similar to a basic "cat" command. It may be tricky since the file would have to be writeable by the user, so what you may just do is make the directory not readable or writeable so the file could be added to but not wiped out, (for example, the way the "rwrite" command appends a copy of the last incoming write message to, for example, ones ~/.rwritelog file, which in my case is chmod 622). The only thing I got for you is something to interject between the keyboard driver (if it is a console issue) and the device they are viewing on screen. That, or search tirelessly for a third-party snooping application. PS- Don't forget about the various shells' "history" built-in features! -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020813230737.E27430-100000>