Re: What is the best free HIDS for Debian
On 03.05.22 15:03, Jonathan Hutchins wrote:
When testing for intrusion on a system that has been running with a live
connection, it's necessary to test from an inviolate source, an ISO
image that is known to be un-infected. Obviously, this should not be
created on an infected machine, which is a problem if you have limited
resources.
Yes, exactly. If you are running Debian I would personally recommend
debcheckroot (https:/www.elstel.org/debcheckroot/). It can test against
fresh, untampered binary packages from any bootable Linux media. Debian
is not required, use the next Linux magazine dvd. A system like Tripwire
that monitors against file changes can itself be attacked, manipulating
the checksums being stored by it in a way that you won´t detect these
changes. You would need a backup of the sha256sums from a time of before
the intrusion which is however not too old either. Using a package based
checksum verifier like debcheckroot you do not have these problems!
Note also that the date and time of the *first* intrusion may be
before of what you think they are from the timeline if you have a tricky
attacker. Timeline (file access, modification, creation times) is good
for reconstructing on what has happened but you don´t need any with
debcheckroot.
Reply to: