Anti-Rootkit app

Hi all,

I need to install an anti-rootkid in a lot of servers. I
know that 
there're several options: tripwire, aide, chkrootkit...

¿What do you prefer?

Obviously, I have to define my needs:

- easy setup and configuration
- actively developed

-- 
Thanks,
Jordi Espasa Clofent
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jordi,

On 13/01/2008, Jordi Espasa Clofent  wrote:
> Hi all,
>
> I need to install an anti-rootkid in a lot of servers.
I know that
> there're several options: tripwire, aide, chkrootkit...
>
> ¿What do you prefer?
>
> Obviously, I have to define my needs:
>
> - easy setup and configuration
> - actively developed
>

I've used Integrit (http://integrit.sourc
eforge.net) on quite a number
of machines. It's very easy to setup and get going quickly.
There is a
port, but it doesn't seem to have been updated to the latest
version
(4.1) yet.

rg

- --
rob.gallagher (at) gmail.com || www.spoofedpacket.net || PK:
0x1DD13A78

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
Comment: http://firegpg.tuxfamily
.org

iD8DBQFHizYviSgypR3ROngRAgUSAKCZPgDK1On4b8KC3t3YpwfXPDPXUQCe
K1n+
bT71FIRYOwrux52TBs0sk50=
=TKd2
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

Jordi Espasa Clofent wrote:

> Hi all,
> 
> I need to install an anti-rootkid in a lot of servers.
I know that 
> there're several options: tripwire, aide,
chkrootkit...
> 
> ¿What do you prefer?
> 
> Obviously, I have to define my needs:
> 
> - easy setup and configuration
> - actively developed

I am using security/rkhunter from ports. It is realy easy to
setup and 
configure.
I have some local scripts for periodic reports which I plan
to submit in 
to PR database.

Miroslav Lachman
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

>> I need to install an anti-rootkid

	If I understand correctly, an intruder need to be superuser
to be able 
to install a rootkit.

	If our intruders has superuser privileges, they can tamper
any 
anti-rootkit.

	Is the main reason to install anti-rootkit we count the
intruders are 
so dumb to look for one of port's anti-rootkit package
before they do 
it's dirt work ?

	Or I miss something important ?

					Dan
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

On Sun, Jan 13, 2008 at 10:38:37PM +0100, Jordi Espasa
Clofent wrote:
> Hi all,
> 
> I need to install an anti-rootkid in a lot of servers.
I know that 
> there're several options: tripwire, aide,
chkrootkit...
> 
> ?What do you prefer?
> 
> Obviously, I have to define my needs:
> 
> - easy setup and configuration
> - actively developed

These needs are nice, but what effects do you want to
achieve?

If you want to verify that nobody's loaded a rootkit, you
can use
chkrootkit.  Note that detecting a running rootkit is
actively hard,
and is prone to failure.

If you want to verify that nobody has changed files on your
system,
you can use a tripwire-like system.  Mtree(1) actually
includes
tripwire-like functionality, which I've used quite
successfully in the
past.

I think that the latter is more realistic, but that's just
my humble
opinion.

==ml

-- 
Michael W. Lucas 	mwlucasBlackHelicopters.org,
mwlucasFreeBSD.org
		http://www.
BlackHelicopters.org/~mwlucas/
      Now Shipping: "Absolute FreeBSD" -- http://www.AbsoluteFre
eBSD.com
On 5/4/2007, the TSA kept 3 pairs of my soiled undies
"for security reasons."
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

Howdy,
> If you want to verify that nobody has changed files on
your system,
> you can use a tripwire-like system.  Mtree(1) actually
includes
> tripwire-like functionality, which I've used quite
successfully in the
> past.
>
> I think that the latter is more realistic, but that's
just my humble
> opinion.
>
>   
The point really is that people expect way too much from
Tripwire-style 
file integrity checkers. No self respecting rootkit author
nowadays 
writes anything that is based on replacing system binaries.
Typically, there are KLD based rootkits, or even just ones
that live in 
memory, which are impossible to catch with this approach.
From what I 
recall (been ages since I looked into this) chkrootkit and
rkhunter do 
some basic things to try and detect whether syscalls got
hooked, but is 
absolutely nothing I would rely on.  As Michael has pointed
out, 
detecting a running rootkit is hard, if not close to
impossible, if you 
have a skilled attacker (which, granted, is rarely the
case).

I'd put more stress on the preventive side of things, use
MAC etc., and 
just generally monitor your system well, update it, and
maintain it 
wisely - I think that's effort better spent.

Cheers,

Jan

-- 
Jan Muenther, CTO Security, n.runs AG

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"