[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

Am 08.05.22 um 20:21 schrieb Michael Lazin:> I think if you have a root kit it is very unlikely to get rid of it
without backing up and reimaging but you may be able to achieve it if
you try first rkhunter and second apparmor which is similar to selinux
which was developed by the nsa and made accessible as a Red Hat
package.  Both solutions have the ability to limit what root can do and
is your only real option for saving a rooted system.  It is important
that if you try this that you dump your memory rkunter picks up a memory
anomaly.  Fileless malware is popular among sophisticated threat actors
and rkhunter is equipped to find malware that resides in memory.
Apparmor is included in Debian.

Michael Lazin
Yes, it would be really interesting if rkhunter has also found the rootkit. If it was developed by the NSA, I am sure it would not find a rootkit used by the NSA. To my knowledge Apparmor was first developed as part of openSUSE. I can remember having filed them a report with the quest to keep Apparmor as it is more easy to use than SELinux.


P.S.: A memory only rootkit would still need a hook to reinstall on a fresh boot.

Reply to: