From owner-freebsd-questions Mon Jul 1 14:25:02 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA13919 for questions-outgoing; Mon, 1 Jul 1996 14:25:02 -0700 (PDT) Received: from Kryten.nina.com (dyn054-gnv.51.fdt.net [205.229.51.55]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA13861 for ; Mon, 1 Jul 1996 14:24:29 -0700 (PDT) Received: from localhost (frankd@localhost) by Kryten.nina.com (8.7.5/8.6.12) with SMTP id RAA12931; Mon, 1 Jul 1996 17:21:11 -0400 (EDT) X-Authentication-Warning: Kryten.nina.com: frankd owned process doing -bs Date: Mon, 1 Jul 1996 17:21:10 -0400 (EDT) From: Frank Seltzer X-Sender: frankd@Kryten.nina.com To: Dave Babler cc: questions@FreeBSD.ORG Subject: Re: Constructive snooping In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 1 Jul 1996, Dave Babler wrote: > Okay, I'm certain there's an obvious, devious and simple solution to > this, but I can't seem to find it. > > I've enabled the snoop pseudo-device and have had no trouble running watch > to monitor users if necessary. The problem is being able to do that > *usefully*. Problem number 1 is that the account I'd be doing monitoring > from is, of course, visible in any user list, so they'd know they weren't > alone. So if somebody doing something they shouldn't is bright enough to > just type 'w', they'd see 'watch ttyxxx' and would know something's up. > Now, of course I could pipe watch's output to a file and put it in the > background and use tail -f to monitor it... except then if the bad guy is > bright enough (and the only reason for me to be snooping is to see what a > UNIX cracker is doing to my system) to just type 'ps a' occasionally, > they'd still see the watch program. There seems to be all sorts of ways to > fool the user list, but not the process list. Short of removing the 'ps' > command from the users, is there anyway I can do this? > > -Dave > Alias watch to some other innocent sounding name. Start it without a tty on the command line and it will start and prompt you for a tty port to watch. Frank -- Only in America can a homeless veteran sleep in a cardboard box while a draft dodger sleeps in the White House.