On Fri, Dec 13, 2013 at 02:06:48PM +0100, Ingo Molnar wrote:
...
> In future the exploit() code could trigger actual active defensive
> measures, such as immediately freezing all tasks of that UID and
> blocking further fork()s/exec()s of that UID.
>
> Depending on how critical the security of the system is, such active
> measures might still be a preferable outcome even if there's a chance
> of false positives. (Such active measures that freeze the UID will
> also help with forensics, if the attack is indeed real.)
I would recommend adding the CVSS score or some other quantifiable
attribute to the exploit() call, eg:
exploit("CVE-2011-4330", 72);
Or, optionally, maintaining a lut of CVE -> severity number. Then the
user can decide how to respond to different levels of exploits.
So, >80 freezes all tasks of the UID, email user
>30, <80 emails user
<30 just logs it.
I'm swagging this, my point is the user needs a concrete, configurable
way to be alerted / respond.
thx,
Jason.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
