Feature Request - Log what processes are killed

Discuss and suggest new grsecurity features

Feature Request - Log what processes are killed

Postby tjh » Sun Jan 04, 2015 4:01 pm

When a subject has the "C" flag, grsecurity will "Auto-kill all processes belonging to the attacker's IP address upon violation of security policy."

This is a great feature. What I'd love is a log of all the processes that are killed when this is triggered.

In testing my policies, I've noticed that I've managed to kill a few other processes (that were associated with my IP address) and didn't realise until later.

I also think it'd be a good idea if an attacker is trying to execute a binary in some "hidden" corner of the filesystem, it'd be nice to see what the process was.

So my request is that processes that are killed on voliation of policy, based on the "C" subject flag, get logged to the system log for later review.

Thanks!

Tim / tjh
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Return to grsecurity development

cron