Saint Jude software is a Project to develop Kernel-Level IDS mechinisms to protect the integrity of host systems.
This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occuring.
This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.
Saint Jude exists in the Linux universe as a kernel module. The module should be loaded as soon as possible. The easiest way for thi s to be done is to cause init to load the module before going through the rc scripts, this permits StJude to monitor daemon processes that may be started through the rc scripts, as well as the behavior of the rc scripts themselves.
The use of saint jude will involve compiling the module in two modes: learning mode, and normal mode. Learning mode generates a series of log entries via klogd that will be used to produce a ruleset appropriate for the host system. After the ruleset has been generated, it will replace the default ruleset shipped with StJude, and the module will be compiled in normal mode, where it will enforce the behavior that was modeled during the learning mode.
We will cover how to do the various tasks involved in the following sections.