Layering an IDS on Linux - prepwork
Steve G
linux_4ever at yahoo.com
Sun Aug 5 16:18:01 UTC 2007
>> Think of it, is there any reason for dhcdbd to dump core *every time* it runs?
>> Will anyone be looking at that core dump?
>
>Fedora runs (ulimit -S -c 0) in /etc/profile, so no process doesn't dump
>core by default.
The kernel hook is before anything decides whether or not to actually allow the
dumping of core. Its for this very reason. Most admin's will not allow core dumps
because it wastes disk space and could contain privileged information. So, people
may not be aware of the consequences of using abort() casually in a program. So,
if core dump is always turned off and we want to protect everyone...we need to
hook before that check.
>I don't know about the specific case of dhcdbd - maybe it uses abort()
>when it should use exit(nonzero). But in general, abort() is useful
>even on production systems.
I guess part of the issue is that glibc uses abort to bring the program to an end
- like on a double free. If there was another signal that indicated that a
program is ending due to something FORTIFY_SOURCE detected or gcc's stack
protector found, we could filter this out better.
-Steve
____________________________________________________________________________________
Need a vacation? Get great deals
to amazing places on Yahoo! Travel.
http://travel.yahoo.com/
More information about the fedora-devel-list
mailing list