Date: Mon, 1 Jul 1996 17:21:10 -0400 (EDT) From: Frank Seltzer <frankd@yoda.fdt.net> To: Dave Babler <dbabler@Rigel.orionsys.com> Cc: questions@FreeBSD.ORG Subject: Re: Constructive snooping Message-ID: <Pine.BSI.3.94.960701171900.11563C-100000@Kryten.nina.com> In-Reply-To: <Pine.BSF.3.91.960701121013.2816A-100000@Rigel.orionsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Jul 1996, Dave Babler wrote: > Okay, I'm certain there's an obvious, devious and simple solution to > this, but I can't seem to find it. > > I've enabled the snoop pseudo-device and have had no trouble running watch > to monitor users if necessary. The problem is being able to do that > *usefully*. Problem number 1 is that the account I'd be doing monitoring > from is, of course, visible in any user list, so they'd know they weren't > alone. So if somebody doing something they shouldn't is bright enough to > just type 'w', they'd see 'watch ttyxxx' and would know something's up. > Now, of course I could pipe watch's output to a file and put it in the > background and use tail -f to monitor it... except then if the bad guy is > bright enough (and the only reason for me to be snooping is to see what a > UNIX cracker is doing to my system) to just type 'ps a' occasionally, > they'd still see the watch program. There seems to be all sorts of ways to > fool the user list, but not the process list. Short of removing the 'ps' > command from the users, is there anyway I can do this? > > -Dave > Alias watch to some other innocent sounding name. Start it without a tty on the command line and it will start and prompt you for a tty port to watch. Frank -- Only in America can a homeless veteran sleep in a cardboard box while a draft dodger sleeps in the White House. <unknown>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.94.960701171900.11563C-100000>