Hello All Before you can do looking for an "Intruder" you need to have an idea of what and intruder is. The most common definition I have seen is that of "some entity" accessing/using a system beyond their authority. Once you find an "Intruder" you need to know what to do with them. Two choices 1) Get rid of them quick smart. 2) Monitor and persue. A usage policy which defines authority is (almost) mandatory. Without such a policy you are up a creek. Any thoughts on this as these point have a severe impact on the actions an Admin takes, the tools they run and User expectations of the system. Could it be that the most powerful tool an Admin has is the policy document? regards Andrew For further reading see RFC1244 Part time admin of various Unix systems and support person for MANY Macs and PCs at my site. PS If this message is not appropriate then throw it away...:-) --------------------------------------------------------------------------- Andrew PRUSEK Phone +61 86 40 4590 BHP Information Technology Fax +61 86 40 4720 PO Box 21 / Port Augusta Road Email andrewp@itwhy.bhp.com.au Whyalla SA 5600 Australia Disclaimer: My opinions are my own.