Back to list
sebek as a patch?
Sep 23 2005 11:43AM
NAHieu (nahieu gmail com)
Re: sebek as a patch?
Oct 02 2005 11:46AM
Thorsten Holz (thorsten holz mmweg rwth-aachen de)
catching up on mails and it seems like nobody has replied to this yet...
> One problem of sebek is it is rather hard to hide it in kernel module
> list (Imagine that the attacker has root access). I guess the
> problem can be improved if we patch sebek directly into linux kernel,
> so sebek is built in, and not run as module.
I assume you want to use the Linux version of Sebek since for *BSD,
there is a patch available at http://honeynet.droids-corp.org/
Patching would be the best option, but unfortunately there is not yet a
patch for Linux available. Another possibility to complicate the process
of removing a module is to remove the capability CAP_SYS_MODULE from the
bounding set. Afterwards, no modules can be un-/loaded. Just use
echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
to remove CAP_SYS_MODULE...
[ reply ]
Copyright 2010, SecurityFocus