HIDS 61028

From Atomicorp Wiki
Revision as of 13:10, 5 May 2014 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Rule 61028
Status Active
Alert Message Denied an untrusted non system library binary from hooking an application

Contents

Description

This rule is triggered when a userland application tries to hook a system library or application, but is not itself a system library or application.

You should investigate this event as it may be part of a broader attack. Some debugging application, such as abrtd, are known to do this.

Log examples

May 5 09:24:02 host kernel: grsec: denied exec of usermode helper binary /usr/libexec/abrt-hook-ccpp located outside of /sbin and system library paths

Troubleshooting

False Positives

Please report this to support if you know this is not an attack.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Personal tools