OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Core Dump as an Intrusion Event
From: antirez (antirezLINUXCARE.COM)
Date: Sun Oct 08 2000 - 01:05:14 CDT

> A better solution would be a kernel patch that hooks into the SIGSEGV
> signal handler and logs all segmentation faults. A predefined list of
> programs can be monitored. Maybe it's fesable to log segfaults of all
> root processes.

This is an example:

--- /usr/src/linux/kernel/signal.c Sat Oct 7 23:35:17 2000
+++ /usr/src/linux-2/kernel/signal.c Sat Oct 7 23:44:25 2000
-282,6 +282,10
                goto out_nolock;
        }

+ if (sig == SIGSEGV)
+ printk(KERN_NOTICE "%s(pid:%d) segmentation fault\n",
+ current->comm, current->pid);
+
        switch (sig) {
        case SIGKILL: case SIGCONT:
                /* Wake up the process if stopped. */

If you want to log only some uid just add currend->uid checking
in the 'if'.
Hacking a bit with the arch related code of the i386 may be
possible to log also the address that caused the problem
and the type of access.

Maybe I and gigi sullivan will release a complete patch soon
but it seems it can't be done interly as module :(
Some linux-kernel skilled people can confirm this?

antirez 

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirezlinuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.