sebek as a patch?Sep 23 2005 11:43AM NAHieu (nahieu gmail com) (1 replies)
Re: sebek as a patch?Oct 02 2005 11:46AM Thorsten Holz (thorsten holz mmweg rwth-aachen de)
Hi everyone,
catching up on mails and it seems like nobody has replied to this yet...
NAHieu wrote:
> Hi,
>
> One problem of sebek is it is rather hard to hide it in kernel module
> list (Imagine that the attacker has root access). I guess the
> problem can be improved if we patch sebek directly into linux kernel,
> so sebek is built in, and not run as module.
I assume you want to use the Linux version of Sebek since for *BSD,
there is a patch available at http://honeynet.droids-corp.org/
Patching would be the best option, but unfortunately there is not yet a
patch for Linux available. Another possibility to complicate the process
of removing a module is to remove the capability CAP_SYS_MODULE from the
bounding set. Afterwards, no modules can be un-/loaded. Just use
something like
catching up on mails and it seems like nobody has replied to this yet...
NAHieu wrote:
> Hi,
>
> One problem of sebek is it is rather hard to hide it in kernel module
> list (Imagine that the attacker has root access). I guess the
> problem can be improved if we patch sebek directly into linux kernel,
> so sebek is built in, and not run as module.
I assume you want to use the Linux version of Sebek since for *BSD,
there is a patch available at http://honeynet.droids-corp.org/
Patching would be the best option, but unfortunately there is not yet a
patch for Linux available. Another possibility to complicate the process
of removing a module is to remove the capability CAP_SYS_MODULE from the
bounding set. Afterwards, no modules can be un-/loaded. Just use
something like
echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
to remove CAP_SYS_MODULE...
Cheers,
Thorsten
[ reply ]