Layering an IDS on Linux - prepwork
Steve G
linux_4ever at yahoo.com
Mon Aug 6 00:51:51 UTC 2007
>A more sensible approach is to build application profiles like you do
>for SELinux, and build in a mechanism to easily shutdown alerts at the
>root if the admin thinks the specific pattern behavior of an application
>is ok.
SE Linux is one feed of data into the analysis. It does a good job of letting you
know if the program suddenly wants to make syscalls or access resources that it
hasn't in the past.
But some attacks are within the behavior that SE Linux says is OK. At that point
you are relying on other detectors for abnormal conditions like FORTIFY_SOURCE
and stack-protector. This is what I'm really after and not abort() called by
programmers. Its just unfortunate there is not a way to distinguish the two uses.
-Steve
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
More information about the devel
mailing list