|
Home > Archive > Unix Programming > March 2004 > How to catch process start
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to catch process start
|
|
| pattanawadee 2004-03-29, 10:39 am |
| Dear Sir,
I would like to write program (use C language) to monitor when
any user come to system neither via telnet, ssh ,web, or the other
ways where can make them come to system (they might be login or not).
I only would like to get pid of the first process of those user.
Anyone could suggest me? I try to see the source code
/usr/src/usr.bin/top/top.c I found it called get_process_info() but I
don't know where I can see get_process_info. and top will reset
according the time we set, while I want to get pid suddenly that there
is any user come to the system.
P.S I use NetBSD
Thank you inadvance,
pattanawadee siwatintuko
| |
| Pascal Bourguignon 2004-03-29, 1:39 pm |
| spattana@unicorn.eng.psu.ac.th (pattanawadee) writes:
> Dear Sir,
> I would like to write program (use C language) to monitor when
> any user come to system neither via telnet, ssh ,web, or the other
> ways where can make them come to system (they might be login or not).
> I only would like to get pid of the first process of those user.
> Anyone could suggest me? I try to see the source code
> /usr/src/usr.bin/top/top.c I found it called get_process_info() but I
> don't know where I can see get_process_info. and top will reset
> according the time we set, while I want to get pid suddenly that there
> is any user come to the system.
What about su, sudo ?
What about other suid programs ?
If you really want to get the signal you're asking, you'll have to
modify the kernel and log setuid system calls.
Otherwise processing the output of:
ps flax
could give a ponctual answer, but you would not want to loop it...
ps flax | awk '{u[$3]=$2;if($4!=0){if(u[$4]!=$2){print $3,$2}}}'
--
__Pascal_Bourguignon__ http://www.informatimago.com/
There is no worse tyranny than to force a man to pay for what he doesn't
want merely because you think it would be good for him.--Robert Heinlein
http://www.theadvocates.org/
| |
| Derk Gwen 2004-03-29, 5:37 pm |
| spattana@unicorn.eng.psu.ac.th (pattanawadee) wrote:
# Dear Sir,
# I would like to write program (use C language) to monitor when
# any user come to system neither via telnet, ssh ,web, or the other
# ways where can make them come to system (they might be login or not).
# I only would like to get pid of the first process of those user.
For sessions, you might try looking at wtmp.
For http requests, the server probably has a log, or is capable of writing
a log. Other servers also often have logging abilities.
--
Derk Gwen http://derkgwen.250free.com/html/index.html
Who's leading this mob?
| |
| Nick Landsberg 2004-03-29, 6:37 pm |
| Derk Gwen wrote:
> spattana@unicorn.eng.psu.ac.th (pattanawadee) wrote:
> # Dear Sir,
> # I would like to write program (use C language) to monitor when
> # any user come to system neither via telnet, ssh ,web, or the other
> # ways where can make them come to system (they might be login or not).
> # I only would like to get pid of the first process of those user.
>
> For sessions, you might try looking at wtmp.
>
> For http requests, the server probably has a log, or is capable of writing
> a log. Other servers also often have logging abilities.
>
> --
> Derk Gwen http://derkgwen.250free.com/html/index.html
> Who's leading this mob?
I think Derk hit it on the head. There are many "doors"
to the system and you have to watch all the doors
(if that is what you want to do.)
Telnet (since it invokes a form of "login" and the
results show up in a "who") would write to wtmp.
For web accesses, one presumes you could log all the
"new" IP addresses encountered (depending on your definition
of "new")
Each door would have to have it's own
security guard with specialized tools applicable
to that door.
As to the "other" - well, define "other".
Until you have an all-inclusive list, then you
can't really be sure you've tracked all accesses.
--
"It is impossible to make anything foolproof
because fools are so ingenious"
- A. Bloch
| |
| pattanawadee 2004-03-30, 5:37 am |
| Thank you for all suggestion, I will study from log file.
My work, I edited ktruss (dump.c) for detect some intrusion according
to the supporting rule, it finished in the case that I specifiled
process id such as I use command ktruss -id -p 338 when 338 is the
process id, csh prompt of uid 100 I can use my modified ktruss trace
that process and see what system call is called include can trace
follow its child process and detect the intrusion according to my
rules after detected all inherrited process of the start process (in
this case start from pid 338) will be killed and user to be kick off
from system,
so the better way I would like to modified my ktruss by instead of
specified pid with the stat process of each user whenever user come to
system, and run my programm to be daemon that means admin will not put
the pid by themself it should program automatic catch the start
process each time when there is/are user come to system and send that
pid to be parameter to my modified ktruss program to trace its
inherrited process.
My only problem now is find the way how can to catch the start
process of each user neither they come by any ways.
|
|
|
|
|