Layering an IDS on Linux - prepwork
Arjan van de Ven
arjan at infradead.org
Mon Aug 6 16:11:37 UTC 2007
On Sun, 2007-08-05 at 17:30 -0700, Steve G wrote:
> >It would even be nice if there was a "a program dumped core. Can I send a
> backtrace
> >to the distro vendor?" program that would allow fedora (and others) to get
> > statistical information about where the most common crashes happen.
>
> That would be easy to add as a plugin to the audit event dispatcher. All it would
> have to do is filter on the ANOM_ABEND event type and then do further analysis.
> There is an example filter program here: /usr/share/doc/audit-1.5.6/skeleton.c
> that could be used as the basis for this kind of tool.
what I imagine is simpler than that;
have the coredumps go to a specific directory on the system and just
watch that directory from some daemon.
Alternative is actually nicer; the new kernel can actually pipe
coredumps to a program, that can just take care of all this from the
start; no audit things needed whatsoever; that'd just be pointless
overhead.
More information about the fedora-devel-list
mailing list