OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Core Dump as an Intrusion Event
From: Jarno Huuskonen (jhuuskonMESSI.UKU.FI)
Date: Mon Oct 09 2000 - 15:29:25 CDT

On Mon, Oct 09, Gigi Sullivan wrote:
> This should be usefull, but making this feature sysctl tunable, may
> allow some malicious attacker to turn off this easly.

To turn off the logging should require root privileges. If the
attacker can turn off logging, then the damage is already done, so I don't
know if logging core dumps after succesful root exploit is going to help
(maybe log that the feature was turned off).

> Ok, if you're root, you can do anything you want, but remember that
> being root is really different from owning the kernel.
>
> Someone could argue that whenever root is owned, log could be altered.
> This is true and false ;) IMHO. Think about external logging peripherics,
> secure syslog implementation (CORE SDI one), tripwire or something else ...
I think that logging core dumps before the attacker gains root is important so
(hopefully) it buys a little time before successful attack.

> So, /proc (sysctl) tunable option could be *really* usefull, but
> hard coded statements are safer, IMHO (even if more restrictive).

I agree that there has to be somekind of compromise.

> Nevertheless to say that we could think about a `secure' sysctl tuning
> mechanims.
I'm not so sure about this ... Perhaps too complicated for what it's worth ??

-Jarno 

--
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonenuku.fi
University of Kuopio - Computer Centre   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169