Date: Mon, 1 Jul 1996 12:24:18 -0700 (PDT) From: Dave Babler <dbabler@Rigel.orionsys.com> To: questions@FreeBSD.org Subject: Constructive snooping Message-ID: <Pine.BSF.3.91.960701121013.2816A-100000@Rigel.orionsys.com>
next in thread | raw e-mail | index | archive | help
Okay, I'm certain there's an obvious, devious and simple solution to this, but I can't seem to find it. I've enabled the snoop pseudo-device and have had no trouble running watch to monitor users if necessary. The problem is being able to do that *usefully*. Problem number 1 is that the account I'd be doing monitoring from is, of course, visible in any user list, so they'd know they weren't alone. So if somebody doing something they shouldn't is bright enough to just type 'w', they'd see 'watch ttyxxx' and would know something's up. Now, of course I could pipe watch's output to a file and put it in the background and use tail -f to monitor it... except then if the bad guy is bright enough (and the only reason for me to be snooping is to see what a UNIX cracker is doing to my system) to just type 'ps a' occasionally, they'd still see the watch program. There seems to be all sorts of ways to fool the user list, but not the process list. Short of removing the 'ps' command from the users, is there anyway I can do this? -Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960701121013.2816A-100000>