Identifying thread/process termination
L A Walsh
lkml at tlinx.org
Tue Nov 17 15:22:24 UTC 2020
On 2020/11/16 05:43, Paul Moore wrote:
> The most important thing to keep in mind is that all of the threads
> inside a process share the same memory space. It is the lack of a
> strong, enforceable boundary between threads which makes it difficult,
> if not impossible, to view threads as individual entities from a
> security perspective.
---
Depends on how much your security policy relies on recognizing
abnormal behavior. If a program splits function across well defined
areas by a named thread, one may develop a baseline of "normal"
functionality associated with given threads. Determining that
a thread is operating outside it's normal range can allow for a
earlier detection and better monitoring of "safe" and/or secure
operation.
How programs operate, especially in regards to what work is
normal for a given thread can only be done with thread level
monitoring. While given threads _can_ access global-user memory,
that involves how they are coded or programmed to run. That, in
turn, can be used to help define boundaries and integrity levels
of various processes in a system.
For example, even though a logging thread might gather data
from other threads, knowing that it can only write to output
to specific configured destinations would allow swift detection
of aberrations.
More information about the Linux-audit
mailing list