Re: Core Dump as an Intrusion Event

[antirez <antirez () linuxcare com>]

On Sun, Oct 08, 2000 at 10:41:05PM +0300, Jarno Huuskonen wrote:
> What about adding some code so it can be controlled thru the proc filesystem ?
> Like enabling/disabling logging, log only certain programs etc.
> (echo 1 > /proc/sys/kernel/core-logging)
> Does this sound feasible/sensible ?

Attached a patch and a module that implements
/proc/sigsegv (FreeBSD sigsegv log style). See the README for usage.
It's for linux 2.2.16 (likely 2.2.17).
About a secure way to enable/disable the patch: using some
kind of state global variable, like log_sigsegv = [01] it
is anyway trivial to break. You may implement a lot of
security checking in the module that gets the on/off commmand,
but it's too simple to get the address of the simbol and change
the value via /dev/kmem or just to compile a module that
skip our silly checks. So use -DLOGSIGSEGV_PARANOID
to obtain an hardcoded static logging.
The patch is SMP-safe, since printk() should be safe.

antirez

p.s. linux kernel skilled guys in the list may suggest enanches or fixes.

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirez () linuxcare com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.