keystroke logging

richard childers / kg6hac fscked at pacbell.net
Wed Jan 7 20:15:39 PST 2004 

>
>
>What do you recommend for keeping track of user
>activities?  For preserving bash histories I followed
>these recommendations:
>
>http://www.defcon1.org/secure-command.html
>
Interesting reading but, as others have noted, of limited use.

Keystroke logging can be disabled by - as others have noted - either 
spawning another (perhaps different) shell, using a remote shell ... or, 
for those embarrassing 'oops' moments, `kill -9 $$` works nicely. Try it 
and see.

Daemonized Networking Services has produced a standalone server 
configuration that uses a modified script(1) and .login to collect 
keystroke logs; the target users are consultants, or companies, whom 
administer highly secure networking equipment via serial links or 
command-line interfaces, and whose own business files, or customers - 
banks, say, or government agencies - require logs of what they did - for 
purposes of auditing, disaster recovery, and liability-related issues.

This method captures every keystroke - including typos before hitting 
RETURN - and cannot be sabotaged. As an added advantage, the logs can be 
immediately, or subsequently, forwarded via electronic mail, so that 
they are replicated in multiple places.

We also have a network server configuration that incorporates everything 
described above, as well as an encrypted filesystem; although the 
encrypted filesystem is optional, and there are some unresolved issues 
related to backing up the contents - as well as recovering them - your 
entire home directory, including your personal startup files, are 
incorporated into the encrypted filesystem. Pretty cool; add a GUI, 
maybe an office suite, and we think we can give Windows 2000 a run for 
their money - in some quarters, at least. (Angel VCs are welcome; 
development isn't cheap, here in the Bay Area.)

I mention this as a shameless plug for our products, which are based on 
FreeBSD, as well as pursuant to the topic at hand; incidentally, freely 
dispensing intellectual property that took years to acquire, in 
exchange. (Gotta stop that.)

(You folks all signed NDAs, right?)

(-;


Regards,

-- richard

-- 

Richard Childers / Senior Engineer
Daemonized Networking Services
945 Taraval Street, #105
San Francisco, CA 94116 USA
[011.]1.415.759.5571
https://www.daemonized.com

More information about the freebsd-security mailing list