|17-06-2008, 05:29 PM||#1|
alternative to snare
I want to be able to detect if a normal user tries to kill a root
process. Even if the attempt was unsuccessful.
snare does this somewhat but snare Is there another program besides
snare and the kernel plug in that does this?
|17-06-2008, 08:25 PM||#2|
Re: alternative to snare
> I want to be able to detect if a normal user tries to kill a root
> process. Even if the attempt was unsuccessful. snare does this somewhat
> but snare Is there another program besides snare and the kernel plug in
> that does this?
Seems likely you're referring to a Linux or BSD box?
I wouldn't fool with snare if I could avoid it either; but you'll have
to play a bit (I haven't done it).
I'm using Gentoo, and this is how I'd approach it on my box (YMMV)
go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and
upgrade the loglevel for the appropriate syslog facility.
e.g. the loglevel definitions are in there:
#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */
and most likely the info you want is at level 4 or 5, not the default
level of 3.
So now you need to figure which facility is involved:
/* facility codes */
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages
#define LOG_FTP (11<<3) /* ftp daemon */
looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ?
so the IIWU, I'd play with facilities and loglevels 'til you got the
messages you wanted on syslog.
When you get this working, please post back here with what you did :-)
|New To Site?||Need Help?|