tker is a tool for Solaris system administrators managing open networks in hostile
environments (university computer labs for example). What the client really needed to be able to do was monitor 200
servers real time with one qualified admin and one student assistant.
This tool can do lots of cool stuff:
- Get computer info including ARP, IP address, snoop packets from/to, check login history, grab error logs, a view
monitor, view all keystrokes, processes, memory use, etc...
- Work with computers by deactivating network cards, configuring hubs, configuring Win95 with back orifice,
telnet,
ftp, ssh, ping, and nmap.
- Get info about a user including login history, current logins, contents of text terminals, content of graphics
terminals, keystrokes, disk usage, network traffic, processes, memory use, etc...
- Work with user accounts by locking accounts, killing processes, checking disk use, deleting accounts, and edit
config files.
- Monitor system CPU with
tyr, ps, xosview, procmeter, top, etc..
- Single click access to common tools like
admintool and linuxconf.
- Very sophisticated network packet analysis.
The use cases:
- The tool will alert an administrator of excessive CPU consumption by a single user on a shared system. The
administrator, with two clicks, can then see what, and who, is consumeing the resources. Three clicks later the admin
can be viewing the contents of TTY sessions, VNC sessions, and/or Xwindow servers. With just two clicks more, the the
user's system activity (network traffic, TTY logs, X11 events, keystrokes, and mouse movements) can be logged for
later disciplinary review by the IT security board. And finally, just one more click away, the admin can disconnect
the user or take over any TTY sessions, X11 clients, or VNC sessions.
- The tool notifies local administrators when critical systems that should not be accessed from shared, student labs
are accessed -- administrative computers holding student grades for example. Logging of all host activity (network
traffic, TTY logs, X11 events, keystrokes, and mouse movements) is automatically initiated without admin
intervention. When the admin brings up the tool, a monitoring window showing host activity is automatically opened --
one click and the host is disconnected from the network at the layer 2 switch, two clicks and the admin has taken over
the host (X11, VNC, and TTY).
- The tool provides novice administrators with the ability to trace TCP/IP flows/streams without knowing much about
TCP/IP. For example, a TTY connected to an
telnet session may be selected, and the network ports the TTY
is using will be detected. The session traffic from just that telnet can then be isolated, and the contents of the
packets extracted. The contents can even be sent to a screen replay tool so that one can "watch" the session
after the fact.
- The network syslog messages are automatically monitored, and when trigger patters are matched (a sequence of
messages or a simple regular expression on single messages) an action is triggered.
User Info:
- finger output
- login history
- Processes & resource usage
- Image of the user's X11 display
 |
|
User Info:
- Process list with process killing
- Image of the user's Win95 screen
- Summary of there disk use
- Click-able list of there files.
 |
|
General user information:
- Integration with tyr
- User CPU & RAM consumption
- Output of finger
- Output of who
 |
|
Network trace between two hosts
 |
|
|
Details of a packet from previous screen
 |
|
