Re: sebek as a patch?

[Edward Balas <ebalas () iu edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thorsten Holz wrote:

| Hi everyone,
|
| catching up on mails and it seems like nobody has replied to this
| yet...
|
| NAHieu wrote:
|
|> Hi,
|>
|> One problem of sebek is it is rather hard to hide it in kernel
|> module list (Imagine that the attacker has root access). I guess
|> the problem can be improved if we patch sebek directly into linux
|> kernel, so sebek is built in, and not run as module.
|
|
| I assume you want to use the Linux version of Sebek since for *BSD,
|  there is a patch available at http://honeynet.droids-corp.org/
|
| Patching would be the best option, but unfortunately there is not
| yet a patch for Linux available. Another possibility to complicate
| the process of removing a module is to remove the capability
| CAP_SYS_MODULE from the bounding set. Afterwards, no modules can be
| un-/loaded. Just use something like
|
| echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
|
| to remove CAP_SYS_MODULE...
|
| Cheers, Thorsten

Could you elaborate on what you mean by rather hard to hide the kernel
module? I presume you mean beyond simply modifying the kernel data
structure to remove the module from the linked list of modules which
is done currently?

As for a patch, it does offer some advantages, however I am skeptical
that it will be the magic fix.  First
most of the detection stuff we have seen is pattern match based.
Going to kernel patch, just changes the patterns that one needs to
looks for.  Second,  once you have  patched the kernel, detection can
happen on there kernel image in the fs itself.  The one thing that is
pretty sweet about a patch is that you dont need to worry about how to
reinstall the kernel module after reboot.

Ed




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDQT9TlKB5oSzVKwoRAldUAJ9aTRsgckhd5iwELY3OrKFckdpSmwCgrOxq
X0WX+PDHapD4i6Kw9InR+9E=
=9YWk
-----END PGP SIGNATURE-----