Re: Core Dump as an Intrusion Event

[Jarno Huuskonen <jhuuskon () MESSI UKU FI>]

On Thu, Oct 05, Eclipse, Solar wrote:
> This is a very interesting idea and it needs further research.
> System services on Linux dump core very rarely and a core dump
> can indeed be an indication that something is wrong. Keep in mind that
> core dumps can be disabled and that it's easy to delete any evidence
> once the attacker has root access.
>
> A better solution would be a kernel patch that hooks into the SIGSEGV
> signal handler and logs all segmentation faults. A predefined list of
> programs can be monitored. Maybe it's fesable to log segfaults of all
> root processes.

On AIX the system logs core dumps to its error-logging system. In the report
there's the programs name, possible reason for dumping core etc.
This feature is quite usefull so I'd like to see something like that on Linux
as well. Maybe the kernel module could use syslog for reporting core dumps.

-Jarno