lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Dec 2013 10:55:23 -0500 From: Jason Cooper <jason@...edaemon.net> To: Ingo Molnar <mingo@...nel.org> Cc: Ryan Mallon <rmallon@...il.com>, Kees Cook <keescook@...omium.org>, Theodore Ts'o <tytso@....edu>, vegard.nossum@...cle.com, LKML <linux-kernel@...r.kernel.org>, Tommi Rantala <tt.rantala@...il.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, Andy Lutomirski <luto@...capital.net>, Daniel Vetter <daniel.vetter@...ll.ch>, Alan Cox <alan@...ux.intel.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Jason Wang <jasowang@...hat.com>, "David S. Miller" <davem@...emloft.net>, Dan Carpenter <dan.carpenter@...cle.com>, James Morris <james.l.morris@...cle.com> Subject: Re: [PATCH 1/9] Known exploit detection On Fri, Dec 13, 2013 at 02:06:48PM +0100, Ingo Molnar wrote: ... > In future the exploit() code could trigger actual active defensive > measures, such as immediately freezing all tasks of that UID and > blocking further fork()s/exec()s of that UID. > > Depending on how critical the security of the system is, such active > measures might still be a preferable outcome even if there's a chance > of false positives. (Such active measures that freeze the UID will > also help with forensics, if the attack is indeed real.) I would recommend adding the CVSS score or some other quantifiable attribute to the exploit() call, eg: exploit("CVE-2011-4330", 72); Or, optionally, maintaining a lut of CVE -> severity number. Then the user can decide how to respond to different levels of exploits. So, >80 freezes all tasks of the UID, email user >30, <80 emails user <30 just logs it. I'm swagging this, my point is the user needs a concrete, configurable way to be alerted / respond. thx, Jason. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists