Re: Core Dump as an Intrusion Event

[Crist Clark <crist.clark () GLOBALSTAR COM>]

"Eclipse, Solar" wrote:
[snip]

> A better solution would be a kernel patch that hooks into the SIGSEGV
> signal handler and logs all segmentation faults. A predefined list of
> programs can be monitored. Maybe it's fesable to log segfaults of all
> root processes.

Aren't seg faults logged already? I was kind of assuming that in my previous
mail. My FreeBSD systems all log seg faults out of the box since the
/etc/syslog.conf is logging at kern.debug (not sure what level seg faults
are off the top of my head). Coulda sworn I had my Solaris boxen did this
too, but a quick test shows otherwise.

Hmmm... What systems out there can log seg faults and other memory errors
from the kernel? Some people mentioned searching for core dumps, but you
should not be having root owned processes dumping core anyway.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com