Am 08.05.22 um 20:21 schrieb Michael Lazin:> I think if you have a root
kit it is very unlikely to get rid of it
> without backing up and reimaging but you may be able to achieve it if
> you try first rkhunter and second apparmor which is similar to selinux
> which was developed by the nsa and made accessible as a Red Hat
> package. Both solutions have the ability to limit what root can do and
> is your only real option for saving a rooted system. It is important
> that if you try this that you dump your memory rkunter picks up a
> memory
> anomaly. Fileless malware is popular among sophisticated threat actors
> and rkhunter is equipped to find malware that resides in memory.
> Apparmor is included in Debian.
>
> Thanks,
> Michael Lazin
Yes, it would be really interesting if rkhunter has also found the
rootkit. If it was developed by the NSA, I am sure it would not find a
rootkit used by the NSA. To my knowledge Apparmor was first developed as
part of openSUSE. I can remember having filed them a report with the
quest to keep Apparmor as it is more easy to use than SELinux.
Elmar
P.S.: A memory only rootkit would still need a hook to reinstall on a
fresh boot.