Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: Re: sebek as a patch?

Re: sebek as a patch?

From: Laurent OUDOT <oudot_at_rstack.org>
Date: Sun, 02 Oct 2005 23:50:37 +0200

Thorsten Holz a écrit :
> Hi everyone,
>
> catching up on mails and it seems like nobody has replied to this yet...
>
> NAHieu wrote:
>
>>Hi,
>>
>>One problem of sebek is it is rather hard to hide it in kernel module
>>list (Imagine that the attacker has root access). I guess the
>>problem can be improved if we patch sebek directly into linux kernel,
>>so sebek is built in, and not run as module.
>
>
> I assume you want to use the Linux version of Sebek since for *BSD,
> there is a patch available at http://honeynet.droids-corp.org/
>
> Patching would be the best option, but unfortunately there is not yet a
> patch for Linux available. Another possibility to complicate the process
> of removing a module is to remove the capability CAP_SYS_MODULE from the
> bounding set. Afterwards, no modules can be un-/loaded. Just use
> something like
>
> echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
>
> to remove CAP_SYS_MODULE...

As I said during Pacsec Tokyo core04, you might also be interested by
hardening your Sebek based honeypot against attackers playing with
/dev/[k]mem directly.

So, another idea would be to disable the capability CAP_SYS_RAWIO in
order to reject this kind of behaviours (unless you really need such
kind of access because of specific applications (like X11, etc)).

Regards, 

--
laurent
http://frenchhoneynet.org/
Received on Oct 04 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos