|
|
|
|
|
|
by londons_explore
1114 days ago
|
|
|
I'm going to take a guess that reading files like /etc/shadow are 'tripwires', which trigger a review by an engineer. With seccompbpf it's pretty simple to have systemwide tripwires on certain files/syscalls/network operations. Even if the attacker gains root, your tripwire will probably alert you before they can disable it. |
|
|