alternative to snare

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I want to be able to detect if a normal user tries to kill a root
process.  Even if the attempt was unsuccessful.
snare does this somewhat but snare Is there another program besides
snare and the kernel plug in that does this?

Re: alternative to snare

tiffini wrote:
Quoted text here. Click to load it

Seems likely you're referring to a Linux or BSD box?

I wouldn't fool with snare if I could avoid it either; but you'll have
to play a bit (I haven't done it).

I'm using Gentoo, and this is how I'd approach it on my box (YMMV)

go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and
upgrade the loglevel for the appropriate syslog facility.

e.g. the loglevel definitions are in there:

  #define LOG_EMERG       0       /* system is unusable */
  #define LOG_ALERT       1       /* action must be taken immediately */
  #define LOG_CRIT        2       /* critical conditions */
  #define LOG_ERR         3       /* error conditions */
  #define LOG_WARNING     4       /* warning conditions */
  #define LOG_NOTICE      5       /* normal but significant condition */
  #define LOG_INFO        6       /* informational */
  #define LOG_DEBUG       7       /* debug-level messages */

and most likely the info you want is at level 4 or 5, not the default
level of 3.

So now you need to figure which facility is involved:

  /* facility codes */
  #define LOG_KERN        (0<<3)  /* kernel messages */
  #define LOG_USER        (1<<3)  /* random user-level messages */
  #define LOG_MAIL        (2<<3)  /* mail system */
  #define LOG_DAEMON      (3<<3)  /* system daemons */
  #define LOG_AUTH        (4<<3)  /* security/authorization messages */
  #define LOG_SYSLOG      (5<<3)  /* messages generated internally by
syslogd */
  #define LOG_LPR         (6<<3)  /* line printer subsystem */
  #define LOG_NEWS        (7<<3)  /* network news subsystem */
  #define LOG_UUCP        (8<<3)  /* UUCP subsystem */
  #define LOG_CRON        (9<<3)  /* clock daemon */
  #define LOG_AUTHPRIV    (10<<3) /* security/authorization messages
(private) */
  #define LOG_FTP         (11<<3) /* ftp daemon */

looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ?

so the IIWU, I'd play with facilities and loglevels 'til you got the
messages you wanted on syslog.

When you get this working,  please post back here with what you did :-)


Site Timeline