Ttyrpld is a Linux software that functions as a keylogger and screenlogger based on the Kernel. It enables computer users to track and record keyboard and screen activities.
ttyrpld supports most tty types, including vc, bsd and unix98-style ptys (xterm/ssh), serial, isdn, etc. And since it's implemented within the Kernel, it's impossible for the default user to avoid. However, one of the benefits of this is that it runs with no overhead if the user-space logging daemon is not active.
ttyrpld is made up of four components, with kpatch being one of them. The Kernel patch adds a few lines to provide the rpldev extension hooks, which any module can then get onto. While the system wasn't designed with black-hats in mind, it may still provide adequate coverage for those who are looking to minimize their traces.
rpldev is another component of ttyrpld, with the Kernel module responsible for grabbing the data off the tty line and providing a character device for the user-space logging daemon. Data grabbed off the tty is directly passed to the overlying daemons, so with the correct terminal settings, you can get a 1:1 replay. For systems where module loading isn't possible (such as OpenBSD), these two components are integrated into the kpatch.
Finally, there's rpld, which is responsible for storing the captured data in any format and/or facility, with or without compression, just as it likes. Since this happens in user-space, all of the fluffy libraries available can be used. This wouldn't be the case if everything occurred in Kernel space. Overall, ttyrpld is a robust solution and worth considering if you're in need of a keylogger/screenlogger.
Version 2.60: N/A