|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Core Dump as an Intrusion Event
From: Gigi Sullivan (sullivan
SIKUREZZA.ORG)Date: Wed Oct 11 2000 - 16:45:51 CDT
- Next message: Slawek: "Re: ascii decoder"
- Previous message: Bob Dog: "Re: Netscape crashes, sec. bug?"
- In reply to: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Next in thread: antirez: "Re: Core Dump as an Intrusion Event"
- Next in thread: antirez: "Re: Core Dump as an Intrusion Event"
- Reply: Gigi Sullivan: "Re: Core Dump as an Intrusion Event"
- Reply: antirez: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Aiee :)
Hello!
(I apologize for the lag about the answer; rather busy :))
On Mon, Oct 09, 2000 at 11:29:25PM +0300, Jarno Huuskonen wrote:
[snip]
> To turn off the logging should require root privileges. If the
> attacker can turn off logging, then the damage is already done, so I don't
> know if logging core dumps after succesful root exploit is going to help
> (maybe log that the feature was turned off).
Obviously we're going to log every abnormal process termination
(read segv, abrt, ill, bus and so on).
This may produce false positive as well, unfortunatly :)
[snip]
> I think that logging core dumps before the attacker gains root is important so
> (hopefully) it buys a little time before successful attack.
I agree.
> > So, /proc (sysctl) tunable option could be *really* usefull, but
> > hard coded statements are safer, IMHO (even if more restrictive).
>
> I agree that there has to be somekind of compromise.
>
> > Nevertheless to say that we could think about a `secure' sysctl tuning
> > mechanims.
> I'm not so sure about this ... Perhaps too complicated for what it's worth ??
Maybe.
Could we find a way to be able to change this feature just *only* in
single user mode? uhm ... too much effort, maybe and ... we're going
to think about GNU/Linux kernel internals and I don't think the list
was created for this ;) (that said, I have no problem to continue)
>
> -Jarno
>
> --
> Jarno Huuskonen - System Administrator | Jarno.Huuskonenuku.fi
> University of Kuopio - Computer Centre | Work: +358 17 162822
> PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169
bye bye
-- gg sullivan
-- Lorenzo Cavallaro `Gigi Sullivan' <sullivanLibRNet Project Home Page: http://www.sikurezza.org/sullivan LibRNet Mailing List: librnet-subscribe
Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner)
- Next message: Slawek: "Re: ascii decoder"
- Previous message: Bob Dog: "Re: Netscape crashes, sec. bug?"
- In reply to: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Next in thread: antirez: "Re: Core Dump as an Intrusion Event"
- Next in thread: antirez: "Re: Core Dump as an Intrusion Event"
- Reply: Gigi Sullivan: "Re: Core Dump as an Intrusion Event"
- Reply: antirez: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]