Vulnerability Development mailing list archives

Re: Core Dump as an Intrusion Event

From: Gigi Sullivan <sullivan () SIKUREZZA ORG>
Date: Wed, 11 Oct 2000 23:45:51 +0200

Aiee :)

   Hello!

   (I apologize for the lag about the answer; rather busy :))

On Mon, Oct 09, 2000 at 11:29:25PM +0300, Jarno Huuskonen wrote:

[snip]

To turn off the logging should require root privileges. If the
attacker can turn off logging, then the damage is already done, so I don't
know if logging core dumps after succesful root exploit is going to help
(maybe log that the feature was turned off).


   Obviously we're going to log every abnormal process termination
   (read segv, abrt, ill, bus and so on).
   This may produce false positive as well, unfortunatly :)

[snip]

I think that logging core dumps before the attacker gains root is important so
(hopefully) it buys a little time before successful attack.


   I agree.

   So, /proc (sysctl) tunable option could be *really* usefull, but
   hard coded statements are safer, IMHO (even if more restrictive).


I agree that there has to be somekind of compromise.

   Nevertheless to say that we could think about a `secure' sysctl tuning
   mechanims.

I'm not so sure about this ... Perhaps too complicated for what it's worth ??


   Maybe.

   Could we find a way to be able to change this feature just *only* in
   single user mode? uhm ... too much effort, maybe and ... we're going
   to think about GNU/Linux kernel internals and I don't think the list
   was created for this ;) (that said, I have no problem to continue)


-Jarno

--
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen () uku fi
University of Kuopio - Computer Centre   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169


bye bye

                  -- gg sullivan

--
Lorenzo Cavallaro       `Gigi Sullivan' <sullivan () sikurezza org>

LibRNet Project Home Page: http://www.sikurezza.org/sullivan
LibRNet Mailing List: librnet-subscribe () egroups com

Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)

Current thread:

Re: Core Dump as an Intrusion Event, (continued)
- Re: Core Dump as an Intrusion Event W. Reilly Cooley (Oct 05)
- Re: Core Dump as an Intrusion Event Eclipse, Solar (Oct 05)
  - Re: Core Dump as an Intrusion Event Erik Tayler (Oct 06)
  - Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 06)
  - Re: Core Dump as an Intrusion Event Crist Clark (Oct 07)
  - Re: Core Dump as an Intrusion Event Kev (Oct 07)
  - Re: Core Dump as an Intrusion Event antirez (Oct 08)
    - Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 08)
    - Re: Core Dump as an Intrusion Event Gigi Sullivan (Oct 09)
    - Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 09)
    - Re: Core Dump as an Intrusion Event Gigi Sullivan (Oct 11)
    - Re: Core Dump as an Intrusion Event antirez (Oct 12)
    - Re: Core Dump as an Intrusion Event antirez (Oct 09)
    - Re: Core Dump as an Intrusion Event antirez (Oct 09)
    - Re: Core Dump as an Intrusion Event Daniel Roesen (Oct 10)
- Re: Core Dump as an Intrusion Event Michael Wojcik (Oct 07)