eurosec2020-pandacap-vm (4 files)
README.md
Type: Dataset
Tags: Dataset, PANDA, record and replay, docker, honeypot, framework
Bibtex:
Tags: Dataset, PANDA, record and replay, docker, honeypot, framework
Bibtex:
@inproceedings{pandacap-eurosec20,
author= {Stamatogiannakis, Manolis and Bos, Herbert and Groth, Paul},
title= {PANDAcap – SSH Honeypot VM},
abstract= {# PANDAcap – Ubuntu 16.04 QCOW
## Overview
This is the [QCOW][qcow] disk image used in our **EuroSec 2020**
publication about the **[PANDAcap][pandacap]** framework.
---------------------------------------------------------------------
[1] Manolis Stamatogiannakis, Herbert Bos, and Paul Groth.
PANDAcap: A Framework for Streamlining Collection of Full-System Traces.
In *Proceedings of the 13th European Workshop on Systems Security*,
EuroSec '20, Heraklion, Greece, April 2020.
doi: [10.1145/3380786.3391396][eurosec20-doi]
---------------------------------------------------------------------
## Image details
### Generic information
* Installed operating system: Ubuntu 16.04 LTS
* Kernel image: `linux-image-4.4.0-130-generic`
* Last software update: 17 Feb 2020
* Login credentials: `panda:panda`
* The image has been scrubbed and compacted to reduce its size and make
it ready for reuse in other projects.
* A [PANDA][panda] kernel profile for use with the [osi_linux][osi_linux]
plugin is included: `ubuntu16-planb-kernelinfo.conf`
### Modifications related to PANDAcap
The image contains some modifications related to [PANDAcap][pandacap],
as listed below.
* [`recctrlu`][recctrlu] has been installed in `/usr/local/sbin`.
* [`recctrlu.sh`][recctrlu] has been installed in `/usr/local/bin`.
* `recctrlu.sh` has been hooked to `/etc/pam.d/sshd`.
If the PANDA [`recctrl`][recctrl] plugin is active, this will trigger
PANDA to start recording after a successful ssh login.
* `rc.local` will run `/root/usbbootstrap.sh` at boot-time.
This will run runtime bootstrapping scripts when the image boots,
and then clean-up after itself.
### Removing PANDAcap modifications
The PANDAcap-related modification should not affect the use of the image
for most other purposes. If needed, they can be removed as following.
```bash
sudo sed -i '/recctrlu.sh/d' /etc/pam.d/sshd
sudo rm -f /usr/local/{,s}bin/recctrlu*
sudo sed -i '/usbbootstrap.sh/d' /etc/rc.local
sudo rm /root/usbbootstrap.sh
```
[eurosec20-doi]: https://doi.org/10.1145/3380786.3391396
[osi_linux]: https://github.com/panda-re/panda/tree/master/panda/plugins/osi_linux
[panda]: https://github.com/panda-re/panda
[pandacap]: https://github.com/vusec/pandacap
[qcow]: https://en.wikipedia.org/wiki/Qcow
[recctrl]: https://github.com/panda-re/panda/tree/master/panda/plugins/recctrl
[recctrlu]: https://github.com/panda-re/panda/tree/master/panda/plugins/recctrl/utils},
keywords= {dataset, PANDA, record and replay, docker, honeypot, framework},
terms= {This VM IMAGE is a COLLECTION of various open-source components, shared for research purposes. The VM IMAGE is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors of the VM IMAGE or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the VM IMAGE or the use or other dealings in the VM IMAGE. NO ASSERTIONS are made on the copyright and licensing terms of the open-source components included in the VM IMAGE.},
license= {},
superseded= {},
url= {https://github.com/vusec/pandacap}
}