Honeypots mailing list archives
Re: sebek as a patch?
From: NAHieu <nahieu () gmail com>
Date: Mon, 3 Oct 2005 16:08:32 +0900
On 10/2/05, Thorsten Holz <thorsten.holz () mmweg rwth-aachen de> wrote:
Hi everyone, catching up on mails and it seems like nobody has replied to this yet... NAHieu wrote:Hi, One problem of sebek is it is rather hard to hide it in kernel module list (Imagine that the attacker has root access). I guess the problem can be improved if we patch sebek directly into linux kernel, so sebek is built in, and not run as module.I assume you want to use the Linux version of Sebek since for *BSD, there is a patch available at http://honeynet.droids-corp.org/
Yes, I am working on Linux.
Patching would be the best option, but unfortunately there is not yet a patch for Linux available. Another possibility to complicate the process of removing a module is to remove the capability CAP_SYS_MODULE from the bounding set. Afterwards, no modules can be un-/loaded. Just use something like echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound to remove CAP_SYS_MODULE...
Also never forget to disable /dev/{kmem,mem} Thanks. Hieu
Current thread:
- Re: sebek as a patch? Thorsten Holz (Oct 02)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Thorsten Holz (Oct 05)