HIDS 61130

Rule ID

61130

Status

Active rule currently published.

Description

Grsecurity has detected a process was attached to via ptrace.

This rule when a process is attached to via ptrace. ptrace is a debugging tool. This rule does not block or prevent any activity.

ptrace is sometimes used by attackers to gain access to memory on the system to attempt to carry out attacks, or steal critical information.

False Positives

None.

Tuning Recommendations

None.

Similar Rules

None.

Notes

Plesk is known to attach ptrace to its processes to prevent reverse engineering. Here are some log examples:

Mar 23 13:47:04 ns2 kernel: grsec: process /usr/sbin/sw-engine-fpm(sw-engine-fpm:1690) attached to via ptrace by /usr/sbin/sw-engine-fpm[sw-engine-fpm:1692] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sw-engine-fpm[sw-engine-fpm:1690] uid/euid:0/0 gid/egid:0/0

Mar 23 14:07:15 ns2 kernel: grsec: process /usr/bin/sw-engine(sw-engine:5476) attached to via ptrace by /usr/bin/sw-engine[sw-engine:5477] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sw-engine[sw-engine:5476] uid/euid:0/0 gid/egid:0/0