ttyrpld - TTY replay daemon

ttyrpld [rusty colors]

Description >

ttyrpld is a kit to log any traffic and actions which go through any of your Kernel's tty devices. In common-term language, this is a Keylogger. Due to the technical layout of the operating system, it is at the same time a screen logger, since keyboard and screen are both considered to be one device.

This kit consists of a Kernel patch, a Kernel module, a user-space logging daemon and a [user-space] player.

The Kernel patch adds a few lines to provide the "RPL" (short for replay) extension hook, which (any) module can then get onto. The system was not directly written for black-hats who want to leave as little traces as possible, keep in mind. :-)

It supports any tty type (vc, pts, serial, etc.). Being implemented within the Kernel makes it incircumventable for the default user. Another benefit is that it runs with no overhead (ok, I lied: two CPU instructions) if the user-space logging daemon is not active.

The Kernel-side module (rpldev) is responsible for grabbing the data off the tty line and providing a character device for the user-space logging daemon. Data grabbed of the tty is directly passed to the overlying daemons, so with the correct terminal settings you can get a 1:1 "multiplexing".

Having received the captured data, the logging daemon can store them in any format and/or facility, with or without compression, just as it likes, for this happens in user-space and thus you have all the fluffy libraries available. (That would not be the case from Kernel space.) Output from rpld is a packed binary format with timestamps, one to conserve space, because a lot of users generate a lot of mickle, and the latter to allow a real-time 1:1 replay.

Manual pages >

ttyreplay(1) -- manual page for ttyrpld

rpl(4) -- ttyrpld log file format

rpldev(4) -- details of the /dev/rpl device and its data

ttyrpld(7) -- details of the ttyrpld / rpldev implementation

rpld(8) -- manual page for rpld

Categorization
(SF-style) >

Development Status:	5 - Production/Stable
Environment:	Console (Text Based), No Input/Output (Daemon)
Intended Audience:	System Administrators, Information Technology
License:	GNU General Public License (GPL) version 2
Natural Language:	English
Operating System:	Linux 2.4 and 2.6
Programming Language:	C/GNU99
Topic:	Systems Administration, Security

Support >

If you need any help or assistance, there is a number of options open to you:

Support tracker for ttyrpld on Savannah
Bug tracker
Task and To-Do tracker (if you want a feature, please use this in favor of IRC)
IRC channel #ttyrpld on irc.freenode.net.