[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-devel-list
Subject: Re: Layering an IDS on Linux - prepwork
From: Steve G <linux_4ever () yahoo ! com>
Date: 2007-08-06 0:51:51
Message-ID: 32877.17458.qm () web51501 ! mail ! re2 ! yahoo ! com
[Download RAW message or body]
>A more sensible approach is to build application profiles like you do
>for SELinux, and build in a mechanism to easily shutdown alerts at the
>root if the admin thinks the specific pattern behavior of an application
>is ok.
SE Linux is one feed of data into the analysis. It does a good job of letting you
know if the program suddenly wants to make syscalls or access resources that it
hasn't in the past.
But some attacks are within the behavior that SE Linux says is OK. At that point
you are relying on other detectors for abnormal conditions like FORTIFY_SOURCE
and stack-protector. This is what I'm really after and not abort() called by
programmers. Its just unfortunate there is not a way to distinguish the two uses.
-Steve
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic