[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

On 03.05.22 15:03, Jonathan Hutchins wrote:
When testing for intrusion on a system that has been running with a live connection, it's necessary to test from an inviolate source, an ISO image that is known to be un-infected.  Obviously, this should not be created on an infected machine, which is a problem if you have limited resources.

Yes, exactly. If you are running Debian I would personally recommend debcheckroot (https:/www.elstel.org/debcheckroot/). It can test against fresh, untampered binary packages from any bootable Linux media. Debian is not required, use the next Linux magazine dvd. A system like Tripwire that monitors against file changes can itself be attacked, manipulating the checksums being stored by it in a way that you won´t detect these changes. You would need a backup of the sha256sums from a time of before the intrusion which is however not too old either. Using a package based checksum verifier like debcheckroot you do not have these problems! Note also that the date and time of the *first* intrusion may be before of what you think they are from the timeline if you have a tricky attacker. Timeline (file access, modification, creation times) is good for reconstructing on what has happened but you don´t need any with debcheckroot.

Reply to: