ttysnoop

The ttysnoop gadget watches the output from a tty or pts device.

Use Cases

This gadget captures the interactive shell activity within your Kubernetes pods, in containers and on the host.

Audit trail

This gadget helps you keep an audit trail of actions performed by administrators in interactive shells on your Kubernetes clusters. This covers commands executed using kubectl exec -ti or kubectl run -ti, which allow direct interaction with pods. Implementing such an audit trail can be particularly useful for clusters that should otherwise not be tampered with, or where stricter control over administrator actions is desired.

For more use cases and how this tool can be applied, you can refer to Scribery.

Foundation for Intrusion Detection Systems

While it doesn't directly trigger alerts or manage keyword lists, the collected data can serve as a foundation for building your own intrusion detection systems. You can then integrate this data with other security tools to analyze what's typed or displayed in the pod, enabling you to detect potential intrusions based on your own defined keywords or regular expressions.

Recording and Replaying Terminal Sessions

While the gadget itself doesn't offer a replay feature, the recorded data provides all the necessary information for you to build your own solution for replaying these sessions. This capability is especially useful for demonstrations, analysis, or creating reproducible scenarios.

For a well-known example of how recorded terminal data can be used for replaying, you can refer to Asciinema.

Training and Certification

The gadget's ability to record interactive terminal sessions can be beneficial in educational and certification contexts. For instance, these recordings can be used to document practical exercises, track progress during training, or review performance in hands-on certification exams. This can be useful for assessments like the Certified Kubernetes Administrator (CKA) exam, where candidates perform tasks in a live environment.

Requirements

• Minimum Kernel Version : 6.1

Getting started

Running the gadget:

kubectl gadget

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/ttysnoop:latest [flags]

ig

$ sudo ig run ghcr.io/inspektor-gadget/gadget/ttysnoop:latest [flags]

Flags

No flags.

Guide

First, we need to run an application that generates some events.

kubectl gadget

$ kubectl run -ti mypod --restart=Never --image=busybox -- sh -c 'while /bin/true ; do echo foo ; sleep 3 ; done'
pod/mypod created

ig

$ docker run --name test-ttysnoop -ti busybox /bin/sh -c 'while /bin/true ; do echo foo ; sleep 3 ; done'

Then, let's run the gadget:

kubectl gadget

$ kubectl gadget run ttysnoop:latest --podname mypod
K8S.NODE          K8S.NAMESPACE  K8S.PODNAME  K8S.CONTAINERNAME  COMM     PID     TID LEN  BUF
minikube-docker   default        mypod        mypod              sh    542352  542352 4    foo
minikube-docker   default        mypod        mypod              sh    542352  542352 4    foo
^C

We can stop the gadget by hitting Ctrl-C.

ig

$ sudo ig run ttysnoop:latest --containername test-ttysnoop
RUNTIME.CONTAINERNAME  COMM     PID     TID LEN  BUF
test-ttysnoop          sh    542352  542352 4    foo
test-ttysnoop          sh    542352  542352 4    foo
^C

Finally, clean the system:

kubectl gadget

$ kubectl delete pod mypod

ig

$ docker rm -f test-ttysnoop