keystroke logging
richard childers / kg6hac
fscked at pacbell.net
Thu Jan 8 05:47:49 PST 2004
I did say 'modified' script(1), yes, the obvious has been taken into
account.
Thanks for pointing it out, though !!
-- richard
Peter Pentchev wrote:
>On Wed, Jan 07, 2004 at 08:15:16PM -0800, richard childers / kg6hac wrote:
>
>
>>>What do you recommend for keeping track of user
>>>activities? For preserving bash histories I followed
>>>these recommendations:
>>>
>>>http://www.defcon1.org/secure-command.html
>>>
>>>
>>>
>>Interesting reading but, as others have noted, of limited use.
>>
>>Keystroke logging can be disabled by - as others have noted - either
>>spawning another (perhaps different) shell, using a remote shell ... or,
>>for those embarrassing 'oops' moments, `kill -9 $$` works nicely. Try it
>>and see.
>>
>>Daemonized Networking Services has produced a standalone server
>>configuration that uses a modified script(1) and .login to collect
>>keystroke logs; the target users are consultants, or companies, whom
>>administer highly secure networking equipment via serial links or
>>command-line interfaces, and whose own business files, or customers -
>>banks, say, or government agencies - require logs of what they did - for
>>purposes of auditing, disaster recovery, and liability-related issues.
>>
>>This method captures every keystroke - including typos before hitting
>>RETURN - and cannot be sabotaged. As an added advantage, the logs can be
>>immediately, or subsequently, forwarded via electronic mail, so that
>>they are replicated in multiple places.
>>
>>
>
>I hope you've taken into consideration the fact that script(1) by
>default does not make any modifications to stdio's standard input/output
>buffering. Thus, the script files it creates are fully-buffered by
>default, which for normal files means that they are only actually
>written to when the buffer fills up, and the buffer is usually 1K to 8K
>in size (although I've seen systems with a BUFSIZ of 32K). This means
>that if anyone kills the script(1) process before the output has reached
>1K (or 4K, or whatever) in size, *no* output will be logged, and even if
>the script process is killed afterwards, some of the output will be
>lost. Consider:
>
>[roam at straylight ~]> echo $$
>5781
>[roam at straylight ~]> script outfile
>Script started, output file is outfile
>Starting interactive C shell
>[roam at straylight ~]> echo $$
>5914
>[roam at straylight ~]> ps -o ppid -p $$
> PPID
> 5913
>[roam at straylight ~]> kill -HUP 5913Hangup
> [roam at straylight ~]> echo $$
>5781
>[roam at straylight ~]> cat outfile
>Script started on Thu Jan 8 09:20:17 2004
>[roam at straylight ~]>
>
>The -t option is of some help, although -t 0 could be implemented a bit
>more efficiently with the attached patch.
>
>G'luck,
>Peter
>
>
>
--
Richard Childers / Senior Engineer
Daemonized Networking Services
945 Taraval Street, #105
San Francisco, CA 94116 USA
[011.]1.415.759.5571
https://www.daemonized.com
More information about the freebsd-security
mailing list