[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

Hi All

I have been following this discussion with some interest.

I have few questions, which all go to

1. what behaviour leads the syetem owner/manager to believe that there is a security issue at play here?
2. how old is the syusytem in question?
3. have there been manual tools installs done on the system?
4. Has the system been fully updated/upgraded?
5. have we eliminated other causes of file mismatch - bad/incomplete
updates, corrupted HDD, bad RAM, user error ?
6. finally - does the debcheckroot tool look at the security distribution archive as well as the
main debian archive? There are times where packages are updated in the
security archive, but not reflected in mailine 


On Sun, May 08, 2022 at 06:26:51PM -0400, Michael Lazin wrote:
> Rkhunter does find patterns of known rootkits but it also finds indicators
> like memory anomalies like I mentioned and it logs each file change from
> the install, this is why ideally you should install it in a fresh system.
> Thanks.
> Michael Lazin
> On Sun, May 8, 2022 at 3:45 PM <estellnb@elstel.org> wrote:
> > Am 08.05.2022 20:43, schrieb estellnb@elstel.org:
> > > P.S.: A memory only rootkit would still need a hook to reinstall on a
> > > fresh boot.
> >
> >    Yes I know it is an issue. Debcheckroot does f.i. not check you
> > initrd. To fix this issue I would need to program an own piece of
> > software like debcheckinitrd. Anyone who wants to support me can do
> > this: https://www.elstel.org/Contact.html. I am a free developer and I
> > do not get paid for my open source related work.
> >
> -- 
> Michael Lazin
> .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

Tomasz M. Ciolek	
 tmc at vandradlabs dot com dot au 
   GPG Key ID:		0x830AD092288EF017
   GPG Key Fingerprint: 07DF B95B DB58 57B6 9656  682E 830A D092 288E F017
   Key available on good key-servers

Attachment: signature.asc
Description: PGP signature

Reply to: