Main page | Install | ttyreplay(1) | rpldev(4) | rpl(5) | ttyrpld(7) | rplctl(8) | rpld(8) | Netlogging | Support

Description >

ttyrpld is a Kernel-rooted/-based keylogger and screenlogger for Linux 2.x and FreeBSD 5.3 with a real-time and tail-follow log analyzer. It supports most tty types, including vc, bsd and unix98-style ptys (xterm/ssh), serial, isdn, etc. Being implemented within the Kernel makes it incircumventable for the default user. Another benefit is that it runs with no overhead if the user-space logging daemon is not active.
 
Categorization
(SF-style) >
Super Short Description: Incircumventable Kernel-based tty keylogger and screenlogger for Linux/FreeBSD with real-time and tail-follow log analyzer. Supports vc, bsd/unix98 pty (xterm/ssh), serial, isdn, etc.
Development Status: 5 - Production/Stable
FreeBSD: 4 - Beta
Intended Audience: Advanced End Users, Developers, System Administrators, Telecommunications Industry, Information Technology
License: GNU General Public License (GPL) version 2
Languages (natural first): English
Operating System: Linux 2.x, FreeBSD 5.3
Programming Language: C/GNU89
Topic: Systems Administration, Security
Environment: Non-interactive (Daemon), Command-line, Console/Terminal
 
Technical Aspects >

... which cause it to differ from existing solutions:

Most other solutions deploy the logging completely in userspace and make it dependent on the user to activate the logging. Definitely, an intruder does not start e.g. /usr/bin/script voluntarily. I have only seen few other kernel-based loggers. One of them is sadly outdated, others query the X86 keyboard driver (very unportable!) instead of tty lines, and some only allow network logging. To sum it up, there exist only very few solutions to which I could compare.

The FreeBSD snooper watch which operates on the /dev/snp* devices (which is the only one really suitable for a comparison) can only do the interactive live feed mode, no logging is possible for later replay, timestamps and device specification are missing. It's something cheap compared to ttyrpld.
 
Components >

This kit (ttyrpld) consists of four components:

kpatch: The Kernel patch adds a few lines to provide the rpldev extension hooks, which (any) module can then get onto. The system was not directly written for black-hats who want to leave as little traces as possible, keep in mind. :-)

rpldev: The Kernel module is responsible for grabbing the data off the tty line and providing a character device for the user-space logging daemon. Data grabbed of the tty is directly passed to the overlying daemons, so with the correct terminal settings you can get a 1:1 replay.

rpld: Having received the captured data, the logging daemon can store them in any format and/or facility, with or without compression, just as it likes, for this happens in user-space and thus you have all the fluffy libraries available. (That would not be the case from Kernel space.)

ttyreplay: real-time log analyzer. Think of it like a video player.

 
by Jan Engelhardt *