From owner-freebsd-questions Mon Jul 1 12:24:53 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA26310 for questions-outgoing; Mon, 1 Jul 1996 12:24:53 -0700 (PDT) Received: from Rigel.orionsys.com (root@rigel.orionsys.com [205.148.224.9]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA26305 for ; Mon, 1 Jul 1996 12:24:51 -0700 (PDT) Received: (from dbabler@localhost) by Rigel.orionsys.com (8.7.5/8.6.9) id MAA02859; Mon, 1 Jul 1996 12:24:19 -0700 (PDT) Date: Mon, 1 Jul 1996 12:24:18 -0700 (PDT) From: Dave Babler To: questions@FreeBSD.org Subject: Constructive snooping Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Okay, I'm certain there's an obvious, devious and simple solution to this, but I can't seem to find it. I've enabled the snoop pseudo-device and have had no trouble running watch to monitor users if necessary. The problem is being able to do that *usefully*. Problem number 1 is that the account I'd be doing monitoring from is, of course, visible in any user list, so they'd know they weren't alone. So if somebody doing something they shouldn't is bright enough to just type 'w', they'd see 'watch ttyxxx' and would know something's up. Now, of course I could pipe watch's output to a file and put it in the background and use tail -f to monitor it... except then if the bad guy is bright enough (and the only reason for me to be snooping is to see what a UNIX cracker is doing to my system) to just type 'ps a' occasionally, they'd still see the watch program. There seems to be all sorts of ways to fool the user list, but not the process list. Short of removing the 'ps' command from the users, is there anyway I can do this? -Dave