Date: Mon, 14 Jan 2008 16:24:11 -0500 From: "Michael W. Lucas" <mwlucas@blackhelicopters.org> To: Jordi Espasa Clofent <jordi.espasa@opengea.org> Cc: freebsd-security@freebsd.org Subject: Re: Anti-Rootkit app Message-ID: <20080114212411.GA18875@bewilderbeast.blackhelicopters.org> In-Reply-To: <478A84DD.3040205@opengea.org> References: <478A84DD.3040205@opengea.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 13, 2008 at 10:38:37PM +0100, Jordi Espasa Clofent wrote: > Hi all, > > I need to install an anti-rootkid in a lot of servers. I know that > there're several options: tripwire, aide, chkrootkit... > > ?What do you prefer? > > Obviously, I have to define my needs: > > - easy setup and configuration > - actively developed These needs are nice, but what effects do you want to achieve? If you want to verify that nobody's loaded a rootkit, you can use chkrootkit. Note that detecting a running rootkit is actively hard, and is prone to failure. If you want to verify that nobody has changed files on your system, you can use a tripwire-like system. Mtree(1) actually includes tripwire-like functionality, which I've used quite successfully in the past. I think that the latter is more realistic, but that's just my humble opinion. ==ml -- Michael W. Lucas mwlucas@BlackHelicopters.org, mwlucas@FreeBSD.org http://www.BlackHelicopters.org/~mwlucas/ Now Shipping: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080114212411.GA18875>