two examples of keystroke loggers in linux (ubuntu).

1. CIS 216
Dan Morrill
Highline Community College

2.  While most companies will purchase software to do keystroke
logging sometimes based on a court order, or a request/order
from the legal department, or other party in the company, a
system admin will be asked to record the keystrokes of an
employee.
 Keystroke Loggers are Illegal?
 Not Necessarily – companies can and often do keystroke log their
employees
 Courts in some jurisdictions have declined to take the step to
prohibit the surreptitious use of keyloggers, despite the apparent
option to apply state legislation. This posture leaves individuals
vulnerable to having their private information exploited by their
employers. Given alternative methods of surveillance, lack of
federal regulation, and advancing technology, extending state
statutes is necessary and just. (Harvard Law, 2012)

3.  Keylogging - Employers sometimes install keylogging programs that
record every single keystroke you use on your computer. This allows
them to see everything you are typing, including your passwords. The
Stored Communication Act and Federal Wiretap Act, along with some
state laws may offer limited protection, but so far most employers are
getting away with this intrusive practice.
 Email monitoring - Many companies have written policies saying the
company can monitor your email. That means that they may look at
your personal emails sent on company computers and devices, even if
you used your personal email address.
 Website monitoring - Your employer is almost certainly monitoring
your internet usage. That means if you're checking out porn
sites, visiting YouTube, updating Facebook, or doing your holiday
shopping, your employer will know about it. You may be violating a
company Internet usage policy. If you aren't working the hours you're
paid for, the employer may well discipline you for your Internet usage.
(AOL, 2012)

4.  The Fourth Amendment applies whenever the
government — whether local, state or federal —
conducts a search or seizure. It protects you from an
unreasonable search or seizure by any government
official or agent, not just the police.
 The Fourth Amendment does not protect you from
privacy invasions by people other than the
government, even if they later hand over what they
found to the government — unless the government
directed them to search your things in the first place.
(EFF, 2006)

5.  The most common methods used to construct
keylogging software are as follows:
 A system hook which intercepts notification that a key
has been pressed (installed using WinAPI
SetWindowsHook for messages sent by the window
procedure. It is most often written in C);
 A cyclical information keyboard request from the
keyboard (using WinAPI Get(Async)KeyState or
GetKeyboardState – most often written in Visual
Basic, sometimes in Borland Delphi);
 Using a filter driver (requires specialized knowledge and
is written in C). (SecureList, 2007)

6.  Declare the variables:
 log_dir=/home/
current_user=$(whoami)
log_time=$(date +%m%d%y%H%M%S)
log_file="current_user$log_time"
attempt="0"
test_log_file="$log_file"

7.  Write the function:
 create_log()
{
while [ -e $test_log_file ] # Checks for an existing file with the
name found in $log_file.
do # If $log_file is found, increment by one and try again.
attempt="$attempt+1"
test_log_file="$log_file""_$attempt"
done
log_file="$test_log_file"
touch $log_file # Once a viable filename has been found, this
file is created.
chmod 600 $log_file # Make $log_file writable for logging.
}

8.  Do the work
 close_log()
{
if [ -e $log_file ] # Tests for the existence of $log_file.
then
echo "" >> $log_file
echo "****************************************" >> $log_file
echo "Logfile closing at $(date +%m%d%y%H%M%S)." >> $log_file # Adds final
date/time entry to log
else
echo "Test 3b"
echo "Logfile did not exist. No record of keystroke logging exists." >> $log_file # If log
does not exist, creates log and logs failure
echo "Created $log_file to report this error." >> $log_file
echo "Logfile created at $(date +%m%d%y%H%M%S)." >> $log_file
echo "Logfile will now close."
fi
chmod 400 $log_file # Guarantees log is left in read-only mode, even if trap triggered
during logging.
kill -9 > /dev/null # Guarantees ending of this process.
}

9.  Trap the users input and create the log
 trap 'close_log; exit 0' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
18 19 20 26
create_log
script $log_file
close_log
exit

10.  Setup reporting via e-mail as a distro list
 LOG_MANAGER="logman" # List to e-mail audit log
 Logman is the distro-email

11.  Setup the cleanup routine so no logs are left behind on the system
being monitored
 cleanup_exit () # This will do the cleanup execute and exit function.
{
# This function is executed on any type of exit except of course
# a kill -9, which cannot be trapped. The script log file is
# e-mailed either locally or remotely and the log file is
# compressed. The last "exit" is needed so the user does not
# have the ability to get to the command line without logging.
if [[ -s ${LOGDIR}/${LOGFILE} ]]
then
mailx -s "$TS - $LOGNAME Audit Report" $LOG_MANAGER
< ${LOGDIR}/${LOGFILE}
compress ${LOGDIR}/${LOGFILE} 2>/dev/null
fi
exit
}

12.  Set the exit trap
 trap 'cleanup_exit' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 26

13.  Declare the variables
 TS=$(date +%m%d%y%H%M%S) # File time stamp
THISHOST=$(hostname|cut -f1-2 -d.) # This is the host name of this
machine
LOGDIR=/home/ganesh/other/logger_files # Log files are saved on the
logger files
# automatically and also
# This is the path that hold to the logs
LOGFILE=${THISHOST}.${LOGNAME}.$TS # Creates the name of the
log file
touch $LOGDIR/$LOGFILE # Creates the actual file
set -o vi 2>/dev/null # Previous commands recall
# Set the command prompt
export PS1="[THISHOST]@"'$PWD> '

14.  Running parameters
 chmod 774 ${LOGDIR}/${LOGFILE} # giving full
control/permission to for the owner & Group
# and read and write permissons to the other.
script ${LOGDIR}/${LOGFILE} # Start the script
monitoring session
chmod 774 ${LOGDIR}/${LOGFILE} # Set permission to
read, write and execute for the owner and group
# and read and write permission to other.
cleanup_exit # Execute the cleanup and exit
function

15.  There is always more than one solution
 Sometimes you need to write a key logger that is
required for work, and you will not want to trigger an
Anti-virus/malware response
 Be careful – this is pretty cool, but leads to liability
work if not suffencently covered by authorization from
management