On Mon, 2003-03-24 at 22:20, Robert L. Harris wrote:
> Has anyone tested to see if "Snare" from intersectalliance.com can
> detect someone executing a ptrace attack? An old company I used to work
> for has a number of production kernels out and can't just upgrade them
> all over night so they need a good detection method and short-term fix
> if possible. In the past we had evaluated Snare which I pointed him to
> but we're not sure if/how it might detect such an attack.
Snare won't really help you. In fact older snare tends to make a box
less secure. The rework looked good but I've not had time to do a
detailed review and I believe they've been busy working on other
projects too.
If there is no UML or debugging done on the box, stick "return -EPERM"
at the start of sys_ptrace and just disable the entire debug/strace
feature set.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Mar 31 2003 - 22:00:18 EST