alternative to snare

#1 (**permalink**) 06-17-2008, 04:32 PM

Hi,

I want to be able to detect if a normal user tries to kill a root
process. Even if the attempt was unsuccessful.
snare does this somewhat but snare Is there another program besides
snare and the kernel plug in that does this?

#2 (**permalink**) 06-17-2008, 07:31 PM

tiffini wrote:
> Hi,
>
> I want to be able to detect if a normal user tries to kill a root
> process. Even if the attempt was unsuccessful. snare does this somewhat
> but snare Is there another program besides snare and the kernel plug in
> that does this?
>
>

Seems likely you're referring to a Linux or BSD box?

I wouldn't fool with snare if I could avoid it either; but you'll have
to play a bit (I haven't done it).

I'm using Gentoo, and this is how I'd approach it on my box (YMMV)

go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and
upgrade the loglevel for the appropriate syslog facility.

e.g. the loglevel definitions are in there:

#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */

and most likely the info you want is at level 4 or 5, not the default
level of 3.

So now you need to figure which facility is involved:

/* facility codes */
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by
syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP (11<<3) /* ftp daemon */

looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ?

so the IIWU, I'd play with facilities and loglevels 'til you got the
messages you wanted on syslog.

When you get this working, please post back here with what you did :-)

HTH