alternative to snare

alternative to snare
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
alternative to snare tiffini 06-17-2008
Posted by tiffini on June 17, 2008, 12:32 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

I want to be able to detect if a normal user tries to kill a root
process. Even if the attempt was unsuccessful.
snare does this somewhat but snare Is there another program besides
snare and the kernel plug in that does this?



Posted by bogus on June 17, 2008, 3:31 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
tiffini wrote:
> Hi,
>
> I want to be able to detect if a normal user tries to kill a root
> process. Even if the attempt was unsuccessful. snare does this somewhat
> but snare Is there another program besides snare and the kernel plug in
> that does this?
>
>

Seems likely you're referring to a Linux or BSD box?

I wouldn't fool with snare if I could avoid it either; but you'll have
to play a bit (I haven't done it).

I'm using Gentoo, and this is how I'd approach it on my box (YMMV)

go to: /usr/include/sys ; make a backup of syslog.h ; edit syslog.h and
upgrade the loglevel for the appropriate syslog facility.

e.g. the loglevel definitions are in there:

#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */

and most likely the info you want is at level 4 or 5, not the default
level of 3.

So now you need to figure which facility is involved:

/* facility codes */
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by
syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP (11<<3) /* ftp daemon */

looking at the above, it could be LOG_AUTHPRIV, LOG_AUTH, or LOG_USER ?

so the IIWU, I'd play with facilities and loglevels 'til you got the
messages you wanted on syslog.

When you get this working, please post back here with what you did :-)


HTH



Similar ThreadsPosted
A alternative to Evidence Eliminator ? December 14, 2006, 2:31 pm
Sunbelt Counterspy problematic - alternative? March 13, 2007, 6:21 pm

The site map in XML format XML site map

Contact Us | Privacy Policy