Honeypots mailing list archives

Re: sebek as a patch?

From: NAHieu <nahieu () gmail com>
Date: Mon, 3 Oct 2005 16:08:32 +0900

On 10/2/05, Thorsten Holz <thorsten.holz () mmweg rwth-aachen de> wrote:

Hi everyone,

catching up on mails and it seems like nobody has replied to this yet...

NAHieu wrote:

Hi,

One problem of sebek is it is rather hard to hide it in kernel module
list (Imagine that the attacker has root access). I guess the
problem can be improved if we patch sebek directly into linux kernel,
so sebek is built in, and not run as module.


I assume you want to use the Linux version of Sebek since for *BSD,
there is a patch available at http://honeynet.droids-corp.org/


Yes, I am working on Linux.


Patching would be the best option, but unfortunately there is not yet a
patch for Linux available. Another possibility to complicate the process
of removing a module is to remove the capability CAP_SYS_MODULE from the
bounding set. Afterwards, no modules can be un-/loaded. Just use
something like

echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound

to remove CAP_SYS_MODULE...


Also never forget to disable /dev/{kmem,mem}

Thanks.
Hieu

Current thread:

Re: sebek as a patch? Thorsten Holz (Oct 02)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
  - Re: sebek as a patch? Thorsten Holz (Oct 05)
    - Re: sebek as a patch? Edward Balas (Oct 05)
    - Re: sebek as a patch? NAHieu (Oct 05)
    - Re: sebek as a patch? Edward Balas (Oct 05)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
    - Re: sebek as a patch? Daniel J. Axtens (Oct 06)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
    - Re: sebek as a patch? Edward Balas (Oct 06)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 06)

(Thread continues...)