Re: What is the best free HIDS for Debian

To: debian-security@lists.debian.org
Subject: Re: What is the best free HIDS for Debian
From: Michael Lazin <microlaser@gmail.com>
Date: Mon, 9 May 2022 06:42:20 -0400
Message-id: <[🔎] CALdcr8faAD5xZbnGHiUK6DPT-GfhTmbb3xHQ67yeSW53xrPUvw@mail.gmail.com>
In-reply-to: <[🔎] 2f7f912c-e001-a32c-ca99-5eeb2c4a981a@elstel.org>
References: <[🔎] 62701ec7$0$18715$426a34cc@news.free.fr> <[🔎] 627260e6$0$24819$426a74cc@news.free.fr> <[🔎] 7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <[🔎] 42898050-0dea-3cfb-3462-0a58452182e5@elstel.org> <Ek6Yh-dEgS-3@gated-at.bofh.it> <[🔎] 6277d936$0$22287$426a74cc@news.free.fr> <[🔎] CALdcr8d8tq49E2+UE1khcb5YKKJP+FWTiLtnObQ7L5+afFJwxg@mail.gmail.com> <[🔎] 3269f6ada90bb33d1a672932ff4afc82@elstel.org> <[🔎] baf40c33ad6fdd6ba4e24ee09fee972b@elstel.org> <[🔎] CALdcr8dyg8uGCzfpFCrOEb8d8+38y8Cu3F+5MdY8oQPAARZSiw@mail.gmail.com> <[🔎] YnhIxd8lAT27VqEd@vandradlabs.com.au> <[🔎] 2f7f912c-e001-a32c-ca99-5eeb2c4a981a@elstel.org>

This supports the use of rkhunter and running it once on first install but you can manually find file changes systematically by becoming root and going to the top level directory and running “find -ctime 1”, “find -ctime -2” etc ad infinitum until you find all files that may have been compromised. This method will not find deleted files so some expertise in the Linux file system is necessary when not using rkhunter.

Thanks,

Michael Lazin

On Mon,May 9, 2022 at 4:04 AM Elmar Stellnberger <estellnb@elstel.org> wrote:

Am 09.05.22 um 00:48 schrieb Tomasz Ciolek:
> 5. have we eliminated other causes of file mismatch - bad/incomplete
> updates, corrupted HDD, bad RAM, user error ?

If exactly such files have been changed where there is reason to
manipulate them for a rootkit then one shall assume unequivocally that
there is a rootkit installed. With bad RAM you get a system crash and
with a physically bad hard disk you get filesystem errors on fsck, none
of which you get with a rootkit where only certain files have been
manipulated intentionally. A broken update could theoretically result in
a singleton file of half the size. Usually running programs keep to use
the old version of the file under Linux while newly issued open
operations on the same file name will use the file as replaced by an
update. A file of half the size would however result in an unusable
program, none of which you would usually observe with a rootkit.

Elmar

--

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

Reply to:

References:
- What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Michael Lazin <microlaser@gmail.com>
- Re: What is the best free HIDS for Debian
  - From: estellnb@elstel.org
- Re: What is the best free HIDS for Debian
  - From: estellnb@elstel.org
- Re: What is the best free HIDS for Debian
  - From: Michael Lazin <microlaser@gmail.com>
- Re: What is the best free HIDS for Debian
  - From: Tomasz Ciolek <tmc@vandradlabs.com.au>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>

Prev by Date: Re: What is the best free HIDS for Debian
Next by Date: Re: What is the best free HIDS for Debian
Previous by thread: Re: What is the best free HIDS for Debian
Next by thread: Re: What is the best free HIDS for Debian
Index(es):
- Date
- Thread