Terminal Session Audit · Linux · eBPF

Full visibility, auditability,
and control over every session

tap captures every TTY/PTY session on a Linux host using eBPF. Local-first — install on a server, list and watch sessions immediately, no extra daemons, no network. Authentication is the kernel's own answer to "who's connecting": SO_PEERCRED on a Unix socket. Remote and AI access via hop →

Install What It Does

Three commands, full session visibility

From a fresh install to streaming a live session in seconds.

tap list

Active sessions you can see. Sticky opener identity (who logged in) plus the current writer (sudo/setpriv visible inline). Byte counters, age, idle.

tap snapshot N

Current screen of pty N as a row × column grid. Colors, attributes, alt-screen, cursor — full SGR-aware reproduction.

tap watch N

Live byte stream into your terminal. Captured escape sequences flow through unchanged; what the original user sees, you see.

Terminal — local audit
$ tap list 2 active session(s): pty= 3 user=alice(1000) comm=bash pid= 3214 out=12384b/421ev in=83b/12ev age=82s idle=0ms pty= 4 opener=alice(1000) writer=root(0) comm=sudo out=2891b/14ev in=4b/1ev age=12s idle=0ms # `opener=alice writer=root` flags the privilege escalation — # alice opened the session, currently sudo is writing. $ tap snapshot 3 snapshot pty=3 (24x80) ┌────────────────────────────────────────────────────────────────────────────────┐ │alice@myserver:~$ vim notes.md │ │ 1 # Project plan │ │ 2 │ │ 3 ## Next sprint │ │ ... │ $ tap watch 3 (stream opened: stream_id=1) (initial frame: 24x80, replay=1342 bytes) # Live byte stream renders alice's session in real time.

Install

One curl. Linux-only — eBPF requires a Linux kernel.

Install (Linux x86_64 / arm64)
$ curl -fsSL https://tap.keik.ai/install.sh | bash

Daemon installs as root

hop-tap-d via systemd, eBPF needs CAP_BPF/CAP_PERFMON/CAP_SYS_ADMIN.

tap installs to /usr/local/bin

The CLI you actually run. Connects to the daemon's local Unix socket.

Run any session

tap captures every TTY/PTY automatically. Existing sessions are seeded from /proc.

Audit

tap list immediately. No keys, no peers, no setup beyond the install.

Permission model

Authentication is the kernel's authoritative answer to "who's connecting" — not a claim on the wire.

SO_PEERCRED on a Unix socket

The daemon listens on /run/hop-tap/local.sock mode 0666 — any local user can connect. On each accept, the daemon reads SO_PEERCRED from the kernel; that's the caller's real uid. The wire carries no identity claims, and there's no way for a client to lie.

Two tiers, one rule

Root (uid 0) gets the creator role and sees every active session. Non-root users get the peer role and see only sessions whose opener matches their username. Sticky opener identity (captured at session creation) means a user can't escape their scope by escalating privileges mid-session.

Why this shape

Local audit on a single host has a natural authority gradient: root is the OS administrator. Anything more complex (ACLs, named groups, capabilities) wouldn't survive contact with the actual deployments, where root is what you have. tap embraces it.

  • Kernel-authoritative identity via SO_PEERCRED
  • uid 0 sees everything
  • non-root sees only sessions they opened
  • Sticky opener survives sudo / setpriv mid-session
  • Same denial wording as missing-pty for non-enumeration
Terminal — same daemon, two callers
# root sees every session root# tap list 2 active session(s): pty=0 user=root(0) comm=script ... pty=1 user=alice(1000) comm=script ... # alice sees only her own alice$ tap list 1 active session(s): pty=1 user=alice(1000) comm=script ... # forbidden snapshot — same error as a missing pty, # so non-root can't enumerate other users by probing alice$ tap snapshot 0 error: no active session with pty_index=0

How it works

Pure-Rust eBPF, CO-RE across kernels, alacritty driving the off-screen grid, sticky opener identity.

Linux only — eBPF inside

tap captures via kernel-side BPF programs that ride on Linux's pty subsystem. macOS/Windows are out of scope for the daemon. The CLI naturally only runs where the daemon does.

Need to drive tap from another machine? Pair it with hop — same eBPF capture, but accessible over an authenticated QUIC peer connection from any client OS.

Install Remote / AI →