Difference between revisions of "HIDS 60227"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "Example log message: system kernel: grsec: denied RWX mprotect of <anonymous mapping> by /lib64/ld-2.5.so[ld-linux-x86-64:27597] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/prel...")
 
Line 5: Line 5:
 
Explanation:
 
Explanation:
  
The kernel contains numerous protections against kernel and root level compromises.  One of these is to [[http://pax.grsecurity.net/docs/mprotect.txt restrict the use of mprotect function]], which can be used introduce new executable code into the task's address space.  This method can be used to compromise some or all of the system.
+
The kernel contains numerous protections to prevent applications from being compromised, including protections for the kernel itself to prevent root level compromises.  One of these is to [[http://pax.grsecurity.net/docs/mprotect.txt restrict the use of the mprotect function]], which can be used introduce new executable code into the task's address space.  This method can be used to compromise an application, which could lead to a partial or full compromise of the system depending on the application or applications involved.  This protection closes a commonly used hole attackers use to compromise systems.
  
If you see this alert, that means that an application is attempting to this.  This can be caused by an insecure application attempting to use this insecure function legitimately, in which case we recommend you contact the developer and ask them to use a more secure method, or this may be an attempt to compromise your system.
+
If you see this alert, that means that an application is attempting to use this function.  This can be caused by an insecure application attempting to use this insecure function legitimately, in which case we recommend you contact the developer and ask them to use a more secure method, this could be used by an application in a manner that its likely to be unexploitable (although this is very difficult to know without signifcant knowledge about the application and its uses) or this may be an attempt to compromise your system.
  
If you wish to enable an application to use this unsafe function, then please the [[https://www.atomicorp.com/wiki/index.php/ASL_FAQ#mprotect.28.29:_13_.28Permission_denied.29 mprotect FAQ article]].  We do not recommend you enable an application to do this.  It will open your system up to potential compromise that the kernel will not be able to protect you against, and may not be detectable by any rootkit detector.
+
If you wish to allow a specific application to use this unsafe function, then please see the [[https://www.atomicorp.com/wiki/index.php/ASL_FAQ#mprotect.28.29:_13_.28Permission_denied.29 mprotect FAQ article]].  We do not recommend you enable an application to do this without careful analysis of all possible vectors that could be used to compromise the system.  It will open your system up to potential compromise that the kernel will not be able to protect you against, and may not be detectable by any rootkit detector.

Revision as of 14:34, 18 December 2011

Example log message:

system kernel: grsec: denied RWX mprotect of <anonymous mapping> by /lib64/ld-2.5.so[ld-linux-x86-64:27597] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/prelink[prelink:25897] uid/euid:0/0 gid/egid:0/0

Explanation:

The kernel contains numerous protections to prevent applications from being compromised, including protections for the kernel itself to prevent root level compromises. One of these is to [restrict the use of the mprotect function], which can be used introduce new executable code into the task's address space. This method can be used to compromise an application, which could lead to a partial or full compromise of the system depending on the application or applications involved. This protection closes a commonly used hole attackers use to compromise systems.

If you see this alert, that means that an application is attempting to use this function. This can be caused by an insecure application attempting to use this insecure function legitimately, in which case we recommend you contact the developer and ask them to use a more secure method, this could be used by an application in a manner that its likely to be unexploitable (although this is very difficult to know without signifcant knowledge about the application and its uses) or this may be an attempt to compromise your system.

If you wish to allow a specific application to use this unsafe function, then please see the [mprotect FAQ article]. We do not recommend you enable an application to do this without careful analysis of all possible vectors that could be used to compromise the system. It will open your system up to potential compromise that the kernel will not be able to protect you against, and may not be detectable by any rootkit detector.

Personal tools