Honeypots mailing list archives
Re: sebek as a patch?
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Sun, 02 Oct 2005 13:46:19 +0200
Hi everyone, catching up on mails and it seems like nobody has replied to this yet... NAHieu wrote:
Hi, One problem of sebek is it is rather hard to hide it in kernel module list (Imagine that the attacker has root access). I guess the problem can be improved if we patch sebek directly into linux kernel, so sebek is built in, and not run as module.
I assume you want to use the Linux version of Sebek since for *BSD, there is a patch available at http://honeynet.droids-corp.org/ Patching would be the best option, but unfortunately there is not yet a patch for Linux available. Another possibility to complicate the process of removing a module is to remove the capability CAP_SYS_MODULE from the bounding set. Afterwards, no modules can be un-/loaded. Just use something like echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound to remove CAP_SYS_MODULE... Cheers, Thorsten
Current thread:
- Re: sebek as a patch? Thorsten Holz (Oct 02)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Thorsten Holz (Oct 05)