OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Core Dump as an Intrusion Event
From: Jarno Huuskonen (jhuuskonMESSI.UKU.FI)
Date: Sun Oct 08 2000 - 14:41:05 CDT

On Sun, Oct 08, antirez wrote:
> This is an example:
>
> --- /usr/src/linux/kernel/signal.c Sat Oct 7 23:35:17 2000
> +++ /usr/src/linux-2/kernel/signal.c Sat Oct 7 23:44:25 2000
> -282,6 +282,10
> goto out_nolock;
> }
>
> + if (sig == SIGSEGV)
> + printk(KERN_NOTICE "%s(pid:%d) segmentation fault\n",
> + current->comm, current->pid);
> +
> switch (sig) {
> case SIGKILL: case SIGCONT:
> /* Wake up the process if stopped. */
>
> If you want to log only some uid just add currend->uid checking
> in the 'if'.
> Hacking a bit with the arch related code of the i386 may be
> possible to log also the address that caused the problem
> and the type of access.
>
> Maybe I and gigi sullivan will release a complete patch soon
> but it seems it can't be done interly as module :(
> Some linux-kernel skilled people can confirm this?

What about adding some code so it can be controlled thru the proc filesystem ?
Like enabling/disabling logging, log only certain programs etc.
(echo 1 > /proc/sys/kernel/core-logging)
Does this sound feasible/sensible ?

-Jarno 

--
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonenuku.fi
University of Kuopio - Computer Centre   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169