Sebek2 - A Kernel-based Data Capture Tool

LogError writes "Sebek is a piece of code the lives entirely in kernel space and records either some or all data accessed by users on the system. This paper is a detailed discussion of Sebek, how it works and its value."

Great tool in the right hands

[mpeg4codec]

This can just as easily be modified and used by blackhats as an advanced rootkit, though. Like everything, it's a double-edged sword.

Re:Great tool in the right hands

[moreati]

True, like anthing this has Good and Evil uses, but since it is kernel resident then it requires either a reboot or a siutable set of hooks in the running kernel so it can be loaded as a module.

Thus the impact of malicuous use of this technology could be mitigated by disabling loadable modules once booted, limiting access to kernel structures by loaded modules, using some varient of TCPA (rootkit module not signed), and/or only accepting shutdown signals from the local console.

In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.

Regards

Alex

Plonked off the high horse

[poptones]

There are nearly 3/4 of a million registered users of slashdot. Like it or not, cowboy, this isn't a site that caters exclusively to those "already in the know." It's an advocacy site as much as anything, and the readers here are going to come from thousands of difference backgrounds and have thousands of different viewpoints.

this article is interesting. I'm not an admin of a corporate wan and there's only so much damage that can be done to a home network, so my interest is not sufficient to compel me to "search for it" anymore than my interest in particle physics would drive me to "search for" the latest technical papers on particel accelerators.

If this offends your l33t sensibilities then you need a thorough ass kicking by RMS and JP Barlow to remind you of why sites like slashdot even exist.