Difference between revisions of "HIDS 61130"
(Created page with "'''Rule ID''' 61130 '''Status''' Active rule currently published. '''Description''' ''Grsecurity has detected a process was attached to via ptrace.'' This rule when a...") |
Latest revision as of 14:49, 23 March 2014
Rule ID
61130
Status
Active rule currently published.
Description
Grsecurity has detected a process was attached to via ptrace.
This rule when a process is attached to via ptrace. ptrace is a debugging tool. This rule does not block or prevent any activity.
ptrace is sometimes used by attackers to gain access to memory on the system to attempt to carry out attacks, or steal critical information.
False Positives
None.
Tuning Recommendations
None.
Similar Rules
None.
Notes
Plesk is known to attach ptrace to its processes to prevent reverse engineering. Here are some log examples:
Mar 23 13:47:04 ns2 kernel: grsec: process /usr/sbin/sw-engine-fpm(sw-engine-fpm:1690) attached to via ptrace by /usr/sbin/sw-engine-fpm[sw-engine-fpm:1692] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sw-engine-fpm[sw-engine-fpm:1690] uid/euid:0/0 gid/egid:0/0
Mar 23 14:07:15 ns2 kernel: grsec: process /usr/bin/sw-engine(sw-engine:5476) attached to via ptrace by /usr/bin/sw-engine[sw-engine:5477] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sw-engine[sw-engine:5476] uid/euid:0/0 gid/egid:0/0