ttyrpld - TTY replay daemon

ttyrpld [rusty colors]

Description >

ttyrpld is a kit to log any traffic and actions which go through any of your Kernel's tty devices. In common-term language, this is a Keylogger (and Screenlogger).

It supports any tty type (vc, bsd/unix98 pts, serial, isdn, etc.). Being implemented within the Kernel makes it incircumventable for the default user. Another benefit is that it runs with no overhead if the user-space logging daemon is not active. (Ok, I lied: two CPU instructions.)

This kit consists of a Kernel patch, a Kernel module, a user-space logging daemon and a [user-space] player.

The Kernel patch adds a few lines to provide the "RPL" (short for replay) extension hook, which (any) module can then get onto. The system was not directly written for black-hats who want to leave as little traces as possible, keep in mind. :-)

You can get a listing of what tty drivers the Kernel has currently loaded by looking at /proc/tty/drivers. Note that the RPL hooks are placed in the last abstraction layer of the tty code (before it splits out into driver code), so we're really independent.

The Kernel-side module (rpldev) is responsible for grabbing the data off the tty line and providing a character device for the user-space logging daemon. Data grabbed of the tty is directly passed to the overlying daemons, so with the correct terminal settings you can get a 1:1 replay.

Having received the captured data, the logging daemon can store them in any format and/or facility, with or without compression, just as it likes, for this happens in user-space and thus you have all the fluffy libraries available. (That would not be the case from Kernel space.)

More documents >

Installing ttyrpld

Logging over network

Manual pages >

ttyreplay(1) -- manual page for ttyrpld

rpl(4) -- ttyrpld log file format

rpldev(4) -- details of the /dev/rpl device and its data

ttyrpld(7) -- details of the ttyrpld / rpldev implementation

rplctl(8) -- manual page for rplctl

rpld(8) -- manual page for rpld

Categorization
(SF-style) >

Super Short Description:	Incircumventable Kernel-based screen- and keylogger for all tty types (vc, bsd/unix98 pts SSH/xterm, serial, isdn, etc.)
Development Status:	5 - Production/Stable, 6 - Mature
Environment:	Console (Text Based), No Input/Output (Daemon)
Intended Audience:	System Administrators, Information Technology
License:	GNU General Public License (GPL) version 2
Natural Language:	English
Operating System:	Linux 2.4 and 2.6
Programming Language:	C/GNU99
Topic:	Systems Administration, Security

Support >

If you need any help or assistance, there is a number of options open to you:

Support tracker for ttyrpld on Savannah
Bug tracker
Task and To-Do tracker (if you want a feature, please use this in favor of IRC)
IRC channel #ttyrpld on irc.freenode.net.