Layering an IDS on Linux - prepwork

Steve G linux_4ever at yahoo.com
Sun Aug 5 15:57:51 UTC 2007


>>> abort() is the traditional way to abort a program when an assertion
>>> fails (developers might need the core file in that case),
>> Which is ok in the debug case. For a production webserver its a different
>> story.
>
>Even in production code it is useful to abort() in "can't happen"
>branches.  The cost of the additional code is negligible.

This is the issue that I'm trying to raise awareness about. Most of the time,
programmers just want the program to end with an error code. They have no use for
a core dump since its deployed in a million end user's machines and they will not
be forwarding that core dump to the developer. Think of it, is there any reason
for dhcdbd to dump core *every time* it runs? Will anyone be looking at that core
dump?

If the program is detecting something that is truly bad or unusual an abort() is
correct. For example, when tcp_wrappers sees a miscompared forward and reverse
lookup.

I only know of a couple programs that do this. But I only run a small amount of
all the packages that Fedora offers. So, I could use some help hunting down the
programs that do this regularly so that we can evaluate whether the program is
reporting something exceptional or the programmer didn't realize that he/she was
requesting a coredump on exit.

I'm also hoping that people see aureport's anomaly detection as something useful
in the meantime before I can get the IDS part working. It could help people spot
an attack by knowing its there.

Thanks,
-Steve


       
____________________________________________________________________________________
Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games.
http://sims.yahoo.com/  




More information about the devel mailing list