On 10/2/05, Thorsten Holz <thorsten.holz_at_mmweg.rwth-aachen.de> wrote:
> Hi everyone,
>
> catching up on mails and it seems like nobody has replied to this yet...
>
> NAHieu wrote:
> > Hi,
> >
> > One problem of sebek is it is rather hard to hide it in kernel module
> > list (Imagine that the attacker has root access). I guess the
> > problem can be improved if we patch sebek directly into linux kernel,
> > so sebek is built in, and not run as module.
>
> I assume you want to use the Linux version of Sebek since for *BSD,
> there is a patch available at http://honeynet.droids-corp.org/
Yes, I am working on Linux.
>
> Patching would be the best option, but unfortunately there is not yet a
> patch for Linux available. Another possibility to complicate the process
> of removing a module is to remove the capability CAP_SYS_MODULE from the
> bounding set. Afterwards, no modules can be un-/loaded. Just use
> something like
>
> echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
>
> to remove CAP_SYS_MODULE...
Also never forget to disable /dev/{kmem,mem}
Thanks.
Hieu
Received on Oct 05 2005
Intro
