pspy

pspy is designed to snoop on processes without the need for root permissions, making it ideal for enumeration during Capture The Flag (CTF) challenges and security assessments. The tool captures real-time process execution, including commands executed by other users and scheduled cron jobs as they run. This visibility helps identify system activities that might otherwise remain hidden.

A key use case for pspy is demonstrating poor security practices, such as passing secrets as command line arguments, which become visible to anyone running the tool. It's particularly valuable in environments where limited privileges restrict traditional monitoring tools. By observing process creation and file system events, users can map out system behavior and potential attack vectors.

The tool operates stealthily without elevated access, providing insights into dynamic system operations. It's also useful for educational purposes, showing colleagues the risks of insecure command line practices.

pspy periodically scans for new processes at configurable intervals (default 100ms) and monitors specified directories for activity. It leverages Linux system calls and file system event polling to detect process creation without root access. Features include printing process events, file system events, and optionally recording parent process IDs (PPIDs). Color-coded output and debug modes enhance usability for detailed analysis.