HIDS 61028

From Atomicorp Wiki
Jump to: navigation, search
Rule 61028
Status Active
Alert Message Denied an untrusted non system library binary from hooking an application


[edit] Description

This rule is triggered when a userland application tries to hook a system library or application, but is not itself a system library or application.

You should investigate this event as it may be part of a broader attack. Some debugging application, such as abrtd, are known to do this.

[edit] Log examples

May 5 09:24:02 host kernel: grsec: denied exec of usermode helper binary /usr/libexec/abrt-hook-ccpp located outside of /sbin and system library paths

[edit] Troubleshooting

[edit] False Positives

Please do not report events for abrt, if this involves a different application, please report this to support if you know this is not an attack.

[edit] Additional Information

[edit] Similar Rules


[edit] Knowledge Base Articles


Personal tools