TechTalkz.com Logo Ask the Experts!

Go Back   TechTalkz.com Technology & Computer Troubleshooting Forums > Tech Support Archives > Security

alternative to snare

Security

 
 
Thread Tools Display Modes
Unread 17-06-2008, 05:29 PM   #1
tiffini
Guest
 
Posts: n/a
alternative to snare

Hi,

I want to be able to detect if a normal user tries to kill a root
process. Even if the attempt was unsuccessful.
snare does this somewhat but snare Is there another program besides
snare and the kernel plug in that does this?



Sponsored Links
 
Unread 17-06-2008, 08:25 PM   #2
bogus
Guest
 
Posts: n/a
Re: alternative to snare

Sponsored Links
tiffini wrote:
> Hi,
>
> I want to be able to detect if a normal user tries to kill a root
> process. Even if the attempt was unsuccessful. snare does this somewhat
> but snare Is there another program besides snare and the kernel plug in
> that does this?
>
>


Seems likely you're referring to a Linux or BSD box?

I wouldn't fool with snare if I could avoid it either; but you'll have
to play a bit (I haven't done it).

I'm using Gentoo, and this is how I'd approach it on my box (YMMV)

go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and
upgrade the loglevel for the appropriate syslog facility.

e.g. the loglevel definitions are in there:

#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */

and most likely the info you want is at level 4 or 5, not the default
level of 3.

So now you need to figure which facility is involved:

/* facility codes */
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by
syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP (11<<3) /* ftp daemon */

looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ?

so the IIWU, I'd play with facilities and loglevels 'til you got the
messages you wanted on syslog.

When you get this working, please post back here with what you did :-)


HTH



Sponsored Links
 
 

Thread Tools
Display Modes



< Home - Windows Help - MS Office Help - Hardware Support >


New To Site? Need Help?

All times are GMT. The time now is 08:07 PM.


vBulletin, Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © 2005-2016, TechTalkz.com. All Rights Reserved - Privacy Policy
Valid XHTML 1.0 Transitional