Re: What is the best free HIDS for Debian
SELinux was made by the NSA but it open source, anyone can review the source code, this is part of what makes open source software reliable, it gets seen by many eyes, and even if you don’t review every line of code yourself you have a web of trust that someone has reviewed it, and it is strengthened by key signing which is more common in the Debian community. Thank you.
Am 08.05.22 um 20:21 schrieb Michael Lazin:> I think if you have a root
kit it is very unlikely to get rid of it
> without backing up and reimaging but you may be able to achieve it if
> you try first rkhunter and second apparmor which is similar to selinux
> which was developed by the nsa and made accessible as a Red Hat
> package. Both solutions have the ability to limit what root can do and
> is your only real option for saving a rooted system. It is important
> that if you try this that you dump your memory rkunter picks up a
> anomaly. Fileless malware is popular among sophisticated threat actors
> and rkhunter is equipped to find malware that resides in memory.
> Apparmor is included in Debian.
> Michael Lazin
Yes, it would be really interesting if rkhunter has also found the
rootkit. If it was developed by the NSA, I am sure it would not find a
rootkit used by the NSA. To my knowledge Apparmor was first developed as
part of openSUSE. I can remember having filed them a report with the
quest to keep Apparmor as it is more easy to use than SELinux.
P.S.: A memory only rootkit would still need a hook to reinstall on a
.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.