Date: Mon, 1 Jul 1996 16:10:01 -0600 (MDT) From: Joel Yancey <python@cia-g.com> To: Dave Babler <dbabler@Rigel.orionsys.com> Cc: questions@FreeBSD.org Subject: Re: Constructive snooping Message-ID: <Pine.LNX.3.91.960701160801.14263A-100000@gallup.cia-g.com> In-Reply-To: <Pine.BSF.3.91.960701121013.2816A-100000@Rigel.orionsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, is what i did, is renamed the watch program to another program, say "getty_ps" which is an actualy program, but not for FreeBSD (it's for linux, FreeBSD doesnt need it because FBSD is smarter) and ran it that way. then it doesnt show up as watch, it shows up a getty_ps which isnt something out of the ordinary. and so you dont see a "getty_ps ttyp1" or what ever, just type getty_ps and it'll ask you for the tty device. =) LDead.Deadned.com Joel yancey On Mon, 1 Jul 1996, Dave Babler wrote: > Okay, I'm certain there's an obvious, devious and simple solution to > this, but I can't seem to find it. > > I've enabled the snoop pseudo-device and have had no trouble running watch > to monitor users if necessary. The problem is being able to do that > *usefully*. Problem number 1 is that the account I'd be doing monitoring > from is, of course, visible in any user list, so they'd know they weren't > alone. So if somebody doing something they shouldn't is bright enough to > just type 'w', they'd see 'watch ttyxxx' and would know something's up. > Now, of course I could pipe watch's output to a file and put it in the > background and use tail -f to monitor it... except then if the bad guy is > bright enough (and the only reason for me to be snooping is to see what a > UNIX cracker is doing to my system) to just type 'ps a' occasionally, > they'd still see the watch program. There seems to be all sorts of ways to > fool the user list, but not the process list. Short of removing the 'ps' > command from the users, is there anyway I can do this? > > -Dave >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.960701160801.14263A-100000>