Honeypots mailing list archives
Re: sebek as a patch?
From: Edward Balas <ebalas () iu edu>
Date: Mon, 03 Oct 2005 09:25:23 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thorsten Holz wrote: | Hi everyone, | | catching up on mails and it seems like nobody has replied to this | yet... | | NAHieu wrote: | |> Hi, |> |> One problem of sebek is it is rather hard to hide it in kernel |> module list (Imagine that the attacker has root access). I guess |> the problem can be improved if we patch sebek directly into linux |> kernel, so sebek is built in, and not run as module. | | | I assume you want to use the Linux version of Sebek since for *BSD, | there is a patch available at http://honeynet.droids-corp.org/ | | Patching would be the best option, but unfortunately there is not | yet a patch for Linux available. Another possibility to complicate | the process of removing a module is to remove the capability | CAP_SYS_MODULE from the bounding set. Afterwards, no modules can be | un-/loaded. Just use something like | | echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound | | to remove CAP_SYS_MODULE... | | Cheers, Thorsten Could you elaborate on what you mean by rather hard to hide the kernel module? I presume you mean beyond simply modifying the kernel data structure to remove the module from the linked list of modules which is done currently? As for a patch, it does offer some advantages, however I am skeptical that it will be the magic fix. First most of the detection stuff we have seen is pattern match based. Going to kernel patch, just changes the patterns that one needs to looks for. Second, once you have patched the kernel, detection can happen on there kernel image in the fs itself. The one thing that is pretty sweet about a patch is that you dont need to worry about how to reinstall the kernel module after reboot. Ed -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDQT9TlKB5oSzVKwoRAldUAJ9aTRsgckhd5iwELY3OrKFckdpSmwCgrOxq X0WX+PDHapD4i6Kw9InR+9E= =9YWk -----END PGP SIGNATURE-----
Current thread:
- Re: sebek as a patch? Thorsten Holz (Oct 02)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Daniel J. Axtens (Oct 07)
- Re: sebek as a patch? Thorsten Holz (Oct 05)