Vulnerability Development mailing list archives
Re: Core Dump as an Intrusion Event
From: Jarno Huuskonen <jhuuskon () MESSI UKU FI>
Date: Fri, 6 Oct 2000 08:01:08 +0300
On Thu, Oct 05, Eclipse, Solar wrote:
This is a very interesting idea and it needs further research. System services on Linux dump core very rarely and a core dump can indeed be an indication that something is wrong. Keep in mind that core dumps can be disabled and that it's easy to delete any evidence once the attacker has root access. A better solution would be a kernel patch that hooks into the SIGSEGV signal handler and logs all segmentation faults. A predefined list of programs can be monitored. Maybe it's fesable to log segfaults of all root processes.
On AIX the system logs core dumps to its error-logging system. In the report there's the programs name, possible reason for dumping core etc. This feature is quite usefull so I'd like to see something like that on Linux as well. Maybe the kernel module could use syslog for reporting core dumps. -Jarno
Current thread:
- Core Dump as an Intrusion Event Crispin Cowan (Oct 05)
- Re: Core Dump as an Intrusion Event Alexander Kiwerski (Oct 05)
- Re: Core Dump as an Intrusion Event antirez (Oct 05)
- Re: Core Dump as an Intrusion Event Slawek (Oct 05)
- Re: Core Dump as an Intrusion Event Pascal Bouchareine (Oct 05)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 05)
- Re: Core Dump as an Intrusion Event W. Reilly Cooley (Oct 05)
- Re: Core Dump as an Intrusion Event Eclipse, Solar (Oct 05)
- Re: Core Dump as an Intrusion Event Erik Tayler (Oct 06)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 06)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 07)
- Re: Core Dump as an Intrusion Event Kev (Oct 07)
- Re: Core Dump as an Intrusion Event antirez (Oct 08)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 08)
- Re: Core Dump as an Intrusion Event Gigi Sullivan (Oct 09)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 09)
- Re: Core Dump as an Intrusion Event Gigi Sullivan (Oct 11)
- Re: Core Dump as an Intrusion Event antirez (Oct 12)
- Re: Core Dump as an Intrusion Event antirez (Oct 09)
- Re: Core Dump as an Intrusion Event antirez (Oct 09)