Science Forums
| View previous topic :: View next topic |
| Author |
Message |
tiffini
Guest
|
 Posted: Tue Jun 17, 2008 9:32 pm Post subject: alternative to snare |
 |
|
Hi,
I want to be able to detect if a normal user tries to kill a root
process. Even if the attempt was unsuccessful.
snare does this somewhat but snare Is there another program besides
snare and the kernel plug in that does this? |
|
| Back to top |
|
 |
| |
Ads |
Advertising
Sponsor
|
|
bogus
Guest
|
| Posted: Wed Jun 18, 2008 12:31 am Post subject: Re: alternative to snare |
|
|
tiffini wrote:
| Quote: |
Hi,
I want to be able to detect if a normal user tries to kill a root
process. Even if the attempt was unsuccessful. snare does this somewhat
but snare Is there another program besides snare and the kernel plug in
that does this?
|
Seems likely you're referring to a Linux or BSD box?
I wouldn't fool with snare if I could avoid it either; but you'll have
to play a bit (I haven't done it).
I'm using Gentoo, and this is how I'd approach it on my box (YMMV)
go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and
upgrade the loglevel for the appropriate syslog facility.
e.g. the loglevel definitions are in there:
#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */
and most likely the info you want is at level 4 or 5, not the default
level of 3.
So now you need to figure which facility is involved:
/* facility codes */
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by
syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP (11<<3) /* ftp daemon */
looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ?
so the IIWU, I'd play with facilities and loglevels 'til you got the
messages you wanted on syslog.
When you get this working, please post back here with what you did :-)
HTH |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
102 Attacks blocked
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
