Anti-Rootkit app
Michael W. Lucas
mwlucas at blackhelicopters.org
Mon Jan 14 13:41:36 PST 2008
On Sun, Jan 13, 2008 at 10:38:37PM +0100, Jordi Espasa Clofent wrote:
> Hi all,
>
> I need to install an anti-rootkid in a lot of servers. I know that
> there're several options: tripwire, aide, chkrootkit...
>
> ?What do you prefer?
>
> Obviously, I have to define my needs:
>
> - easy setup and configuration
> - actively developed
These needs are nice, but what effects do you want to achieve?
If you want to verify that nobody's loaded a rootkit, you can use
chkrootkit. Note that detecting a running rootkit is actively hard,
and is prone to failure.
If you want to verify that nobody has changed files on your system,
you can use a tripwire-like system. Mtree(1) actually includes
tripwire-like functionality, which I've used quite successfully in the
past.
I think that the latter is more realistic, but that's just my humble
opinion.
==ml
--
Michael W. Lucas mwlucas at BlackHelicopters.org, mwlucas at FreeBSD.org
http://www.BlackHelicopters.org/~mwlucas/
Now Shipping: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com
On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
More information about the freebsd-security
mailing list