Vulnerability Development mailing list archives
Re: Core Dump as an Intrusion Event
From: antirez <antirez () linuxcare com>
Date: Sun, 8 Oct 2000 08:05:14 +0200
A better solution would be a kernel patch that hooks into the SIGSEGV signal handler and logs all segmentation faults. A predefined list of programs can be monitored. Maybe it's fesable to log segfaults of all root processes.
This is an example: --- /usr/src/linux/kernel/signal.c Sat Oct 7 23:35:17 2000 +++ /usr/src/linux-2/kernel/signal.c Sat Oct 7 23:44:25 2000 @@ -282,6 +282,10 @@ goto out_nolock; } + if (sig == SIGSEGV) + printk(KERN_NOTICE "%s(pid:%d) segmentation fault\n", + current->comm, current->pid); + switch (sig) { case SIGKILL: case SIGCONT: /* Wake up the process if stopped. */ If you want to log only some uid just add currend->uid checking in the 'if'. Hacking a bit with the arch related code of the i386 may be possible to log also the address that caused the problem and the type of access. Maybe I and gigi sullivan will release a complete patch soon but it seems it can't be done interly as module :( Some linux-kernel skilled people can confirm this? antirez -- Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa +39.049.80 43 411 tel, +39.049.80 43 412 fax antirez () linuxcare com, http://www.linuxcare.com/ Linuxcare. Support for the revolution.
Current thread:
- Re: Core Dump as an Intrusion Event, (continued)
- Re: Core Dump as an Intrusion Event antirez (Oct 05)
- Re: Core Dump as an Intrusion Event Slawek (Oct 05)
- Re: Core Dump as an Intrusion Event Pascal Bouchareine (Oct 05)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 05)
- Re: Core Dump as an Intrusion Event W. Reilly Cooley (Oct 05)
- Re: Core Dump as an Intrusion Event Eclipse, Solar (Oct 05)
- Re: Core Dump as an Intrusion Event Erik Tayler (Oct 06)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 06)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 07)
- Re: Core Dump as an Intrusion Event Kev (Oct 07)
- Re: Core Dump as an Intrusion Event antirez (Oct 08)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 08)
- Re: Core Dump as an Intrusion Event Gigi Sullivan (Oct 09)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 09)
- Re: Core Dump as an Intrusion Event Gigi Sullivan (Oct 11)
- Re: Core Dump as an Intrusion Event antirez (Oct 12)
- Re: Core Dump as an Intrusion Event antirez (Oct 09)
- Re: Core Dump as an Intrusion Event antirez (Oct 09)
- Re: Core Dump as an Intrusion Event Daniel Roesen (Oct 10)