Hi all, I need to install an anti-rootkid in a lot of servers. I know that there're several options: tripwire, aide, chkrootkit... ?What do you prefer? Obviously, I have to define my needs: - easy setup and configuration - actively developed -- Thanks, Jordi Espasa Clofent
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jordi, On 13/01/2008, Jordi Espasa Clofent wrote:> Hi all, > > I need to install an anti-rootkid in a lot of servers. I know that > there're several options: tripwire, aide, chkrootkit... > > ?What do you prefer? > > Obviously, I have to define my needs: > > - easy setup and configuration > - actively developed >I've used Integrit (http://integrit.sourceforge.net) on quite a number of machines. It's very easy to setup and get going quickly. There is a port, but it doesn't seem to have been updated to the latest version (4.1) yet. rg - -- rob.gallagher (at) gmail.com || www.spoofedpacket.net || PK: 0x1DD13A78 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: http://firegpg.tuxfamily.org iD8DBQFHizYviSgypR3ROngRAgUSAKCZPgDK1On4b8KC3t3YpwfXPDPXUQCeK1n+ bT71FIRYOwrux52TBs0sk50=TKd2 -----END PGP SIGNATURE-----
Jordi Espasa Clofent wrote:> Hi all, > > I need to install an anti-rootkid in a lot of servers. I know that > there're several options: tripwire, aide, chkrootkit... > > ?What do you prefer? > > Obviously, I have to define my needs: > > - easy setup and configuration > - actively developedI am using security/rkhunter from ports. It is realy easy to setup and configure. I have some local scripts for periodic reports which I plan to submit in to PR database. Miroslav Lachman
On Sun, Jan 13, 2008 at 10:38:37PM +0100, Jordi Espasa Clofent wrote:> Hi all, > > I need to install an anti-rootkid in a lot of servers. I know that > there're several options: tripwire, aide, chkrootkit... > > ?What do you prefer? > > Obviously, I have to define my needs: > > - easy setup and configuration > - actively developedThese needs are nice, but what effects do you want to achieve? If you want to verify that nobody's loaded a rootkit, you can use chkrootkit. Note that detecting a running rootkit is actively hard, and is prone to failure. If you want to verify that nobody has changed files on your system, you can use a tripwire-like system. Mtree(1) actually includes tripwire-like functionality, which I've used quite successfully in the past. I think that the latter is more realistic, but that's just my humble opinion. ==ml -- Michael W. Lucas mwlucas@BlackHelicopters.org, mwlucas@FreeBSD.org http://www.BlackHelicopters.org/~mwlucas/ Now Shipping: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."