Re: What is the best free HIDS for Debian

To: Michael Lazin <microlaser@gmail.com>, Sylvain <ssecherre@free.fr>
Cc: debian-security@lists.debian.org
Subject: Re: What is the best free HIDS for Debian
From: estellnb@elstel.org
Date: Sun, 08 May 2022 20:43:21 +0200
Message-id: <[🔎] 3269f6ada90bb33d1a672932ff4afc82@elstel.org>
In-reply-to: <[🔎] CALdcr8d8tq49E2+UE1khcb5YKKJP+FWTiLtnObQ7L5+afFJwxg@mail.gmail.com>
References: <[🔎] 62701ec7$0$18715$426a34cc@news.free.fr> <[🔎] 627260e6$0$24819$426a74cc@news.free.fr> <[🔎] 7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <[🔎] 42898050-0dea-3cfb-3462-0a58452182e5@elstel.org> <Ek6Yh-dEgS-3@gated-at.bofh.it> <[🔎] 6277d936$0$22287$426a74cc@news.free.fr> <[🔎] CALdcr8d8tq49E2+UE1khcb5YKKJP+FWTiLtnObQ7L5+afFJwxg@mail.gmail.com>

Am 08.05.22 um 20:21 schrieb Michael Lazin:> I think if you have a rootkit it is very unlikely to get rid of it

without backing up and reimaging but you may be able to achieve it if
you try first rkhunter and second apparmor which is similar to selinux
which was developed by the nsa and made accessible as a Red Hat
package.  Both solutions have the ability to limit what root can do and
is your only real option for saving a rooted system.  It is important

that if you try this that you dump your memory rkunter picks up amemory

anomaly.  Fileless malware is popular among sophisticated threat actors
and rkhunter is equipped to find malware that resides in memory.
Apparmor is included in Debian.

Thanks,
Michael Lazin

Yes, it would be really interesting if rkhunter has also found therootkit. If it was developed by the NSA, I am sure it would not find arootkit used by the NSA. To my knowledge Apparmor was first developed aspart of openSUSE. I can remember having filed them a report with thequest to keep Apparmor as it is more easy to use than SELinux.


Elmar

P.S.: A memory only rootkit would still need a hook to reinstall on afresh boot.

Reply to:

Follow-Ups:
- Re: What is the best free HIDS for Debian
  - From: Michael Lazin <microlaser@gmail.com>
- Re: What is the best free HIDS for Debian
  - From: estellnb@elstel.org

References:
- What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Michael Lazin <microlaser@gmail.com>

Prev by Date: Re: What is the best free HIDS for Debian
Next by Date: Re: What is the best free HIDS for Debian
Previous by thread: Re: What is the best free HIDS for Debian
Next by thread: Re: What is the best free HIDS for Debian
Index(es):
- Date
- Thread