Session recording

[VirginSnow at vfemail.net]

> Date: Sat, 29 Mar 2008 13:13:43 -0400
> From: "Kenny Lussier" <klussier at gmail.com>

> >
> >  > Using script isn't an option because it logs all of the control
> >  > characters.
> >
> >  Not sure why you object to "control characters" since they're
> >  legitimately part of most sessions.
> 
> They are legitimate, but they are also very messy, and it adds a layer
> of complexity to clean it up and log it to a remote system for log
> analysis and auditing.

Why ignoring control characters like Ken wants will never work:

user at hostname $ perl -e 'while (read STDIN, $ctrl, 1) { if ($odd) { print chr($chr+ord($ctrl)); } else { $chr = ord($ctrl) * 16; } $odd = ($odd + 1) % 2; }' | bash

That sets up the shell on hostname to read a control-character-encoded
stream on standard input, translate to ASCII, and send the result to
another bash.  By transmitting properly encoded control characters,
arbitrary commands can be issued.  For example:

user at hostname $ echo -en \\007\\002\\006\\015\\002\\000\\002\\015\\007\\002\\006\\006\\002\\000\\002\\017\\000\\012 | perl -e 'while (read STDIN, $ctrl, 1) { if ($odd) { print chr($chr+ord($ctrl)); } else { $chr = ord($ctrl) * 16; } $odd = ($odd + 1) % 2; }'
rm -rf /
user at hostname $ 

Without logging control characters, the command "rm -rf /" would never
be logged, because the control characters would not be recorded.
You'd be able to tell that someone was issuing commands off the record
(because you could see the perl command to do it) but you would never
know what encoded commands were issued.

So you really gotta log the control characters, too.  Sorry. :(