TILT is a set of terminal logging and playback tools for auditing telnet and SSH connections made from a bastion host. It provides timestamped logs and real time playback of logs for incident reports, incident analysis or as a training aid.
I use it for the basis of incident reports after a network event that I have worked on. I can sit down the morning after (managers always ask for reports the next day) with a time stamped log, syslogs and call history from my phones and produce a report of when I did things, exactly what I saw and when things where fixed. I also use it to find out how I last did something on a server
There are many ways that this tool can be installed. Here is a list of ways I have installed different versions of this code.
1) Pathed telnet and ssh replacements.
Drop them in a directory and amend your path to have that directory before /usr/bin
easy to do
telnet and ssh are not affected
easy to bypass
2) Full telnet and ssh replacements.
create a logging user.
change the ownership and file access permissions of telnet and ssh.
Put the tilt telnet and ssh wrappers in the /usr/bin directory set them as SUID the logging user
create iptables rules that allow only the logging user to connect to another box using port 23. (module owner)
change the ssh binary so it opens the tcp connection before setuiding back to the running user.
after these changes iptables filtering will work for ssh
harder to get around
Harder to maintain, upgrading and patching ssh and telnet are an issue
Users could still get around it if they think a little
3) Force via a menued bastion host.
Create a bastion host. Only provide a menu that will let the users ssh or telnet via TILT
Logging is mandatory.
A bastion host in a network is good for security
Some users resent not having shell access on a bastion host.
4) Change the program run by TILT to a shell and replace the users shell with TILT
All interaction is logged.
Can be used with any of the other methods.
All local and remote interactions are in the same file.
I have not personaly tryed TILT in this configuration
What's New in This Release: [ read full changelog ]
· fixed some warnings about nanosleep could not sleep reported by nano bug
· fixed incorrect calculation of sleep time when -m was used and not