SigmaHQ
change suid_dumpable config
Summary of the Pull Request
the attacker attempts to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.Enabling this feature allows memory dumps (core dumps) of SUID processes— which usually run with elevated privileges— to be generated. These dumps may contain sensitive nformation such as passwords, cryptographic keys, or other secrets.
CVE-2025-5054: Information leak via core dumps from SUID binaries using apport. CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
Changelog
new: Potential Exploitation of Apport and systemd-coredump Info Disclosure cve_2025_5054_cve_2025_4598
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these conventions
Hi, @swachchhanda000
Could you help me? I don't undrestand why this accure?
Hi, @swachchhanda000 Could you help me? I don't undrestand why this accure?
It could be because your rule filename doesn't follow sigma specification
See the screenshot below
since its a linux process creation ET rule the rulename should starts with proc_creation_lnx_cve....
Hi, @phantinuss I agree with you. I think we can detect any changes to the selection_suid_dumpable_sysctl, and remove the other detections for now—at least until we’ve thought more about them. What do you think?
The file name has to start with proc_creation_lnx_ for the test to pass.
For the echo selection part of the rule: I think it's fine. It's an best effort approach. Not every rule can cover 100%.
