alternative to snare

17-06-2008, 11:59 PM

Hi,

I want to be able to detect if a normal user tries to kill a root
process. Even if the attempt was unsuccessful.
snare does this somewhat but snare Is there another program besides
snare and the kernel plug in that does this?

18-06-2008, 02:55 AM

tiffini wrote:
> Hi,
>
> I want to be able to detect if a normal user tries to kill a root
> process. Even if the attempt was unsuccessful. snare does this somewhat
> but snare Is there another program besides snare and the kernel plug in
> that does this?
>
>

Seems likely you're referring to a Linux or BSD box?

I wouldn't fool with snare if I could avoid it either; but you'll have
to play a bit (I haven't done it).

I'm using Gentoo, and this is how I'd approach it on my box (YMMV)

go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and
upgrade the loglevel for the appropriate syslog facility.

e.g. the loglevel definitions are in there:

#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */

and most likely the info you want is at level 4 or 5, not the default
level of 3.

So now you need to figure which facility is involved:

/* facility codes */
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by
syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP (11<<3) /* ftp daemon */

looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ?

so the IIWU, I'd play with facilities and loglevels 'til you got the
messages you wanted on syslog.

When you get this working, please post back here with what you did :-)

HTH

17-06-2008, 11:59 PM	#1
tiffini Guest Posts: n/a	alternative to snare Hi, I want to be able to detect if a normal user tries to kill a root process. Even if the attempt was unsuccessful. snare does this somewhat but snare Is there another program besides snare and the kernel plug in that does this?

18-06-2008, 02:55 AM	#2
bogus Guest Posts: n/a	Re: alternative to snare tiffini wrote: > Hi, > > I want to be able to detect if a normal user tries to kill a root > process. Even if the attempt was unsuccessful. snare does this somewhat > but snare Is there another program besides snare and the kernel plug in > that does this? > > Seems likely you're referring to a Linux or BSD box? I wouldn't fool with snare if I could avoid it either; but you'll have to play a bit (I haven't done it). I'm using Gentoo, and this is how I'd approach it on my box (YMMV) go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and upgrade the loglevel for the appropriate syslog facility. e.g. the loglevel definitions are in there: #define LOG_EMERG 0 /* system is unusable / #define LOG_ALERT 1 / action must be taken immediately / #define LOG_CRIT 2 / critical conditions / #define LOG_ERR 3 / error conditions / #define LOG_WARNING 4 / warning conditions / #define LOG_NOTICE 5 / normal but significant condition / #define LOG_INFO 6 / informational / #define LOG_DEBUG 7 / debug-level messages / and most likely the info you want is at level 4 or 5, not the default level of 3. So now you need to figure which facility is involved: / facility codes / #define LOG_KERN (0<<3) / kernel messages / #define LOG_USER (1<<3) / random user-level messages / #define LOG_MAIL (2<<3) / mail system / #define LOG_DAEMON (3<<3) / system daemons / #define LOG_AUTH (4<<3) / security/authorization messages / #define LOG_SYSLOG (5<<3) / messages generated internally by syslogd / #define LOG_LPR (6<<3) / line printer subsystem / #define LOG_NEWS (7<<3) / network news subsystem / #define LOG_UUCP (8<<3) / UUCP subsystem / #define LOG_CRON (9<<3) / clock daemon / #define LOG_AUTHPRIV (10<<3) / security/authorization messages (private) / #define LOG_FTP (11<<3) / ftp daemon */ looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ? so the IIWU, I'd play with facilities and loglevels 'til you got the messages you wanted on syslog. When you get this working, please post back here with what you did :-) HTH

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode