Results 1 to 2 of 2

Thread: alternative to snare

  1. #1
    tiffini
    Guest

    alternative to snare

    Hi,

    I want to be able to detect if a normal user tries to kill a root
    process. Even if the attempt was unsuccessful.
    snare does this somewhat but snare Is there another program besides
    snare and the kernel plug in that does this?



  2. #2
    bogus
    Guest

    Re: alternative to snare

    tiffini wrote:
    > Hi,
    >
    > I want to be able to detect if a normal user tries to kill a root
    > process. Even if the attempt was unsuccessful. snare does this somewhat
    > but snare Is there another program besides snare and the kernel plug in
    > that does this?
    >
    >


    Seems likely you're referring to a Linux or BSD box?

    I wouldn't fool with snare if I could avoid it either; but you'll have
    to play a bit (I haven't done it).

    I'm using Gentoo, and this is how I'd approach it on my box (YMMV)

    go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and
    upgrade the loglevel for the appropriate syslog facility.

    e.g. the loglevel definitions are in there:

    #define LOG_EMERG 0 /* system is unusable */
    #define LOG_ALERT 1 /* action must be taken immediately */
    #define LOG_CRIT 2 /* critical conditions */
    #define LOG_ERR 3 /* error conditions */
    #define LOG_WARNING 4 /* warning conditions */
    #define LOG_NOTICE 5 /* normal but significant condition */
    #define LOG_INFO 6 /* informational */
    #define LOG_DEBUG 7 /* debug-level messages */

    and most likely the info you want is at level 4 or 5, not the default
    level of 3.

    So now you need to figure which facility is involved:

    /* facility codes */
    #define LOG_KERN (0<<3) /* kernel messages */
    #define LOG_USER (1<<3) /* random user-level messages */
    #define LOG_MAIL (2<<3) /* mail system */
    #define LOG_DAEMON (3<<3) /* system daemons */
    #define LOG_AUTH (4<<3) /* security/authorization messages */
    #define LOG_SYSLOG (5<<3) /* messages generated internally by
    syslogd */
    #define LOG_LPR (6<<3) /* line printer subsystem */
    #define LOG_NEWS (7<<3) /* network news subsystem */
    #define LOG_UUCP (8<<3) /* UUCP subsystem */
    #define LOG_CRON (9<<3) /* clock daemon */
    #define LOG_AUTHPRIV (10<<3) /* security/authorization messages
    (private) */
    #define LOG_FTP (11<<3) /* ftp daemon */

    looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ?

    so the IIWU, I'd play with facilities and loglevels 'til you got the
    messages you wanted on syslog.

    When you get this working, please post back here with what you did :-)


    HTH



Similar Threads

  1. Alternative to Nero
    By 24giovanni in forum Software Forum
    Replies: 5
    Last Post: 06-12-08, 12:51 PM
  2. Alternative to Viagra
    By Randy in forum General Discussion Board
    Replies: 3
    Last Post: 04-05-08, 02:18 PM
  3. What's a good Spybot S&D alternative?
    By PsykoPenguin in forum Software Forum
    Replies: 5
    Last Post: 01-15-08, 08:31 AM
  4. Norton Disk Doctor Alternative?
    By PsykoPenguin in forum Software Forum
    Replies: 5
    Last Post: 01-14-08, 04:47 PM
  5. Alternative to yahoo's tv listings?
    By CableDude in forum General Discussion Board
    Replies: 5
    Last Post: 04-06-07, 01:00 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •