ttyrpld is a Kernel-based keylogger and screenlogger for Linux, FreeBSD and OpenBSD, and includes a real-time, tail-following log analyzer.
ttyrpld supports most tty types, including vc, bsd and unix98-style ptys (xterm/ssh), serial, isdn, etc.
Being implemented within the Kernel makes it unavoidable for the default user. Another benefit is that it runs with no overhead if the user-space logging daemon is not active.
ttyrpld consists of four components:
kpatch: The Kernel patch adds a few lines to provide the rpldev extension hooks, which (any) module can then get onto. The system was not directly written for black-hats who want to leave as little traces as possible, keep in mind.
rpldev: The Kernel module is responsible for grabbing the data off the tty line and providing a character device for the user-space logging daemon. Data grabbed of the tty is directly passed to the overlying daemons, so with the correct terminal settings you can get a 1:1 replay.
For systems where module loading is not possible (OpenBSD for example), these two components are integrated into the kpatch.
rpld: Having received the captured data, the logging daemon can store them in any format and/or facility, with or without compression, just as it likes, for this happens in user-space and thus you have all the fluffy libraries available. (That would not be the case from Kernel space.)
- This release updates the code to work with libHX 1.25 and Linux 2.6.27.