First page Back Continue Last page Summary Graphics
Log keystrokes directly from tty driver to host
- small patch to tty driver and UML
- allows real-time monitoring
- undetectable, unbreakable
Log system messages directly to host
- Attach /dev/log to host socket
- No apparent logging inside UML
- undetectable, maybe unbreakable
The pseudo-terminal logging patch changes the pty driver so that it logs all data going through it to a file on the host.
With 'tail -f', it is possible to monitor activity inside UML in real time. Since it involves no cooperation from processes inside UML, it is undetectable and unbreakable. It is also able to capture all keystrokes unencrypted since it is inside the pty driver, which is on the decrypted side of any ssh connection.
It will also be possible to log system messages directly to the host by tying /dev/log to a socket on the host. There would be no detectable logging happening inside UML, which would increase the comfort level of anyone breaking in. This is also undetectable. It may be partly breakable, since messages from daemons could be prevented from being logged if the intruder removed the /dev/log socket. However, kernel messages would still make it out.