Re: Core Dump as an Intrusion Event

[Jarno Huuskonen <jhuuskon () MESSI UKU FI>]

On Mon, Oct 09, Gigi Sullivan wrote:
>    This should be usefull, but making this feature sysctl tunable, may
>    allow some malicious attacker to turn off this easly.

To turn off the logging should require root privileges. If the
attacker can turn off logging, then the damage is already done, so I don't
know if logging core dumps after succesful root exploit is going to help
(maybe log that the feature was turned off).

>    Ok, if you're root, you can do anything you want, but remember that
>    being root is really different from owning the kernel.
>
>    Someone could argue that whenever root is owned, log could be altered.
>    This is true and false ;) IMHO. Think about external logging peripherics,
>    secure syslog implementation (CORE SDI one), tripwire or something else ...
I think that logging core dumps before the attacker gains root is important so
(hopefully) it buys a little time before successful attack.

>    So, /proc (sysctl) tunable option could be *really* usefull, but
>    hard coded statements are safer, IMHO (even if more restrictive).

I agree that there has to be somekind of compromise.

>    Nevertheless to say that we could think about a `secure' sysctl tuning
>    mechanims.
I'm not so sure about this ... Perhaps too complicated for what it's worth ??

-Jarno

--
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen () uku fi
University of Kuopio - Computer Centre   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169