sh2log 1.0 review

sh2log is a PTY sniffing program that captures all keystrokes and console output of physical and virtual consoles

License: GPL (GNU General Public License) File size: 78K Developer: Christophe Devine

0

sh2log is a PTY sniffing program that captures all keystrokes and console output of physical and virtual consoles. sh2log works in userland and does not require the installation of a kernel module.

Consequently, it can be run on a wide range of different UNIX platforms. It provides ready-to-use log files and is meant to be used for legitimate purposes such as auditing user actions on a sensitive server or a honeypot.

How to install it

2.1. Edit config.h and setup the following values:

CONNECT_IP IP address of the machine on which sh2logd runs
SERVER_PORT UDP port in use by sh2logd
REAL_SHELL_DIR Directory for the real shells (/bin/shells)
MAX_LOG_SIZE Maximum size before a new log file is created
secret This is a 128-bit symmetric key used to secure
the data when transmitted over the network.

2.2. Compile sh2log by simply running "make system"

System can be any of those: linux, freebsd, openbsd, cygwin, sunos, aix, irix, hpux and osf.

2.3. Replace the original shell with sh2log and run sh2logd:

# mkdir /bin/shells/
# cp -p /bin/{sh,bash} /bin/shells/
# rm -f /bin/{sh,bash}
# cp -p sh2log /bin/bash
# cp -p sh2log /bin/sh
# ./sh2logd

If you see an error message about "bash: text file busy", check that you have rm'ed the file before copying sh2log over it. Also, I'd recommended not running sh2log and sh2logd on the same machine.

Warning: /bin/sh is often a symlink to /bin/bash. DO NOT FORGET TO CREATE "/bin/shells/sh" OR YOUR SYSTEM WILL BE UNUSABLE!

3. Monitoring your users: the interactive log parser

Please try first to run ./parser with the provided sh2log example file "test.bin". Window resizing requires XTerm (not rxvt, eterm or konsole) and a valid DISPLAY; or if you use PuTTY, try resizing the window by hand.

The parser provides both non-interactive and interactive (takedown-like) modes of operation. In interactive mode, you can pause, fast forward (2x or 4x) and also follow in real time what the users are doing one the system, and have a live view of all terminals.