注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

态度决定高度

英语,沟通,rhca,管理

 
 
 

日志

 
 

ttyrpld – tty logging daemon  

2010-11-22 13:02:35|  分类: linux |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

Description

ttyrpld is a multi-os kernel-level tty logger (key- and screenlogger for ttys) with (a)synchronous replay supprt. It supports most tty types, including vc, bsd and unix98-style ptys (xterm/ssh), serial, isdn, etc. Being implemented within the kernel makes it unavoidable for the default user. It runs with no overhead if the logging daemon is not active.

Technical aspects

… which cause it to differ from existing solutions:

Most other solutions deploy the logging completely in userspace and make it dependent on the user to activate the logging. Definitely, an intruder does not start e.g. /usr/bin/script voluntarily. I have only seen few other kernel-based loggers. One of them is outdated, others query the x86 keyboard driver using interrupt hijacking and fixed translation. This is very unportable, because it only catches raw AT keyboard scancodes, but not USB or even other keyboards (unless they are in compatibility mode), and it does not work at all for network traffic.

Only the FreeBSD snooper watch, which operates on the /dev/snp* devices, can be taken for a comparison. However, it can only do the interactive live feed mode, no logging is possible for later replay. Packet time stamps are also missing.

Components

This kit (ttyrpld) consists of four components:

kpatch: The kernel patch adds a few lines to provide the rpldev extension hooks, which (any) module can then get onto.

rpldev: The kernel module is responsible for grabbing the data off the tty line and providing a character device for the user-space logging daemon. Data grabbed of the tty is directly passed to the overlying daemons, so with the correct terminal settings you can get a 1:1 replay.

For systems where module loading is not possible or not widely supported (OpenBSD for example), rpldev is integrated into the kpatch.

rpld: Having received the captured data, the logging daemon can store them in any format and/or facility, with or without compression, just as it likes, for this happens in user-space and thus you have all the fluffy libraries available. (That would not be the case from kernel space.)

ttyreplay: real-time log analyzer. Think of it as a simple video player.

  评论这张
 
阅读(815)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018