Re: Core Dump as an Intrusion Event

[antirez <antirez () linuxcare com>]

On Wed, Oct 11, 2000 at 11:45:51PM +0200, Gigi Sullivan wrote:
>    Could we find a way to be able to change this feature just *only* in
>    single user mode? uhm ... too much effort, maybe and ... we're going
>    to think about GNU/Linux kernel internals and I don't think the list
>    was created for this ;) (that said, I have no problem to continue)

I hacked a bit around this patch:
I developed a better patch that will be on freshmeat ASAP,
it already works but I'm fixing a race with /proc.
The new patch is able to log the memory address that
the process tryed to access and the type of the access,
even if it is portable. Unfortunately making the patch
portable it is impossible (AFAIK) to distinguish between
read and exec access.
Check out http://www.kyuzz.org/antirez/sigsegv (that isn't
jet on-line) tomorrow to get the patch and a little
userspace tool to dump in a human readable format the
history of the sigsegv (limited history, it's a circular
buffer).
The kernel patch is very little, it just install a hook
function in the kernel. All the work is done in the module
(i.e. if you want to upgrade you just need to unload the old
module and load the new, without others kernel changes).

antirez

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirez () linuxcare com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.