OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Core Dump as an Intrusion Event
From: antirez (antirezLINUXCARE.COM)
Date: Mon Oct 09 2000 - 19:48:42 CDT

On Sun, Oct 08, 2000 at 10:41:05PM +0300, Jarno Huuskonen wrote:
> What about adding some code so it can be controlled thru the proc filesystem ?
> Like enabling/disabling logging, log only certain programs etc.
> (echo 1 > /proc/sys/kernel/core-logging)
> Does this sound feasible/sensible ?

Attached a patch and a module that implements
/proc/sigsegv (FreeBSD sigsegv log style). See the README for usage.
It's for linux 2.2.16 (likely 2.2.17).
About a secure way to enable/disable the patch: using some
kind of state global variable, like log_sigsegv = [01] it
is anyway trivial to break. You may implement a lot of
security checking in the module that gets the on/off commmand,
but it's too simple to get the address of the simbol and change
the value via /dev/kmem or just to compile a module that
skip our silly checks. So use -DLOGSIGSEGV_PARANOID
to obtain an hardcoded static logging.
The patch is SMP-safe, since printk() should be safe.

antirez

p.s. linux kernel skilled guys in the list may suggest enanches or fixes. 

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirezlinuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.