[PATCH v5 7/8] Documentation: Add documentation for the Brute LSM

John Wood john.wood at gmx.com
Sun Mar 7 16:45:20 UTC 2021


On Sun, Mar 07, 2021 at 07:19:20AM -0800, Andi Kleen wrote:
> Sorry for the late answer. I somehow missed your email earlier.
>
> > As a mitigation method, all the offending tasks involved in the attack are
> > killed. Or in other words, all the tasks that share the same statistics
> > (statistics showing a fast crash rate) are killed.
>
> So systemd will just restart the network daemon and then the attack works
> again?

Sorry, but I think my last explanation is not clear enough. If the network
daemon crashes repeatedly in a short period of time it will trigger a brute
force attack through the fork system call. Then this daemon and all the fork
processes created from it will be killed. If the systemd restart the network
daemon and it will crash again, then the systemd will be killed. I think this
way the attack is fully mitigated.

> Or if it's a interactive login you log in again.

First the login will be killed (if it fails with a fatal signal) and if it is
restarted, the process that exec() it again will be killed. In this case I think
that the threat is also completely mitigated.

> I think it might be useful even with these limitations, but it would
> be good to spell out the limitations of the method more clearly.
>
> I suspect to be useful it'll likely need some user space configuration
> changes too.

In the v2 version there were some sysctl attributes to fine tuning the
detection. The following two paragraph are extracted from the documentation
patch of this version:

To customize the detection's sensibility there are two new sysctl attributes
that allow to set the last crashes timestamps list size and the application
crash period threshold (in milliseconds). Both are accessible through the
following files respectively.

/proc/sys/kernel/brute/timestamps_list_size
/proc/sys/kernel/brute/crash_period_threshold

However, Kees Cook suggested that if we narrow the attack detection focusing in
the crossing of privilege boundaries and signals delivered only by the kernel,
it seems not necessary the customization of this feature by the user. I aggree
with that.

>
> -Andi

I have sent a v6 version with the documentation improved.

Thanks for your comments,
John Wood



More information about the Linux-security-module-archive mailing list