watch – making it work

 Security  Add comments
Nov 291999
 

watch – making it work

watch allows you to snoop on another terminal.  It’s for superuser only.

Why use watch?

Sometimes, often for security purposes, it is useful to see what someone is doing.   Perhaps you found someone cracking into your system and you want to see what they’re doing.  I dunno.  Maybe you’re just nosy.

What does watch need?

watch needs the following kernel option:
pseudo-device snp     3

This allows for four snoop devices.  I think you need one for each concurrent watch session.  I’m not sure.  You should add the following to your kernel and recompile.  This is pretty easy.  Then you will need to follow the Handbook instructions Building and Installing a Custom Kernel.

watch also needs the snoop devices.  You should do the following:

cd /dev
./MAKEDEV snp0
./MAKEDEV snp1
./MAKEDEV snp2
./MAKEDEV snp3
That should give you the devices you need.

The error

If you get the following error, then you didn’t do the steps in the previous section.   Bad!  Go back and try again.
# watch ttyp1

watch: fatal: cannot open snoop device

If you get this error, then the next section will show you what to do.

Running watch

Here’s how I did it:
# who
dan              ttyp0   Nov 27 17:35   (wocker.int)
dan              ttyp1   Nov 28 12:36   (wocker.int)
# watch ttyp1

Or, if you want to be able to write to the other terminal, try this:

# watch -W ttyp1

  One Response to “watch – making it work”

  1. Tom says:
    June 15, 2004 at 11:36 pm

    someone had mentioned to me a while ago that there was a kernel module for creating snoop devices, and i decided just recently to try it out and see if it works.

    # cd /modules
    # kldload snp.ko
    # cd /dev
    # ./MAKEDEV snp0 (however many)
    # cd /modules
    # kldunload snp.ko

    works great, saves you the cumbersome task of creating and building a custom kernel…especially if you have no other reason(s) to.