|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Core Dump as an Intrusion Event
From: Jarno Huuskonen (jhuuskon
MESSI.UKU.FI)Date: Fri Oct 06 2000 - 00:01:08 CDT
- Next message: torn: "Re: tornkit"
- Previous message: Erik Tayler: "Re: Core Dump as an Intrusion Event"
- In reply to: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Next in thread: Crist Clark: "Re: Core Dump as an Intrusion Event"
- Reply: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Oct 05, Eclipse, Solar wrote:
> This is a very interesting idea and it needs further research.
> System services on Linux dump core very rarely and a core dump
> can indeed be an indication that something is wrong. Keep in mind that
> core dumps can be disabled and that it's easy to delete any evidence
> once the attacker has root access.
>
> A better solution would be a kernel patch that hooks into the SIGSEGV
> signal handler and logs all segmentation faults. A predefined list of
> programs can be monitored. Maybe it's fesable to log segfaults of all
> root processes.
On AIX the system logs core dumps to its error-logging system. In the report
there's the programs name, possible reason for dumping core etc.
This feature is quite usefull so I'd like to see something like that on Linux
as well. Maybe the kernel module could use syslog for reporting core dumps.
-Jarno
- Next message: torn: "Re: tornkit"
- Previous message: Erik Tayler: "Re: Core Dump as an Intrusion Event"
- In reply to: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Next in thread: Crist Clark: "Re: Core Dump as an Intrusion Event"
- Reply: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]