From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 21:41:36 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2203916A41B for ; Mon, 14 Jan 2008 21:41:36 +0000 (UTC) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (bewilderbeast.blackhelicopters.org [198.22.63.8]) by mx1.freebsd.org (Postfix) with ESMTP id 7C68713C459 for ; Mon, 14 Jan 2008 21:41:35 +0000 (UTC) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (localhost [127.0.0.1]) by bewilderbeast.blackhelicopters.org (8.14.1/8.13.8) with ESMTP id m0ELOBQG018965; Mon, 14 Jan 2008 16:24:11 -0500 (EST) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: (from mwlucas@localhost) by bewilderbeast.blackhelicopters.org (8.14.1/8.13.8/Submit) id m0ELOBOc018964; Mon, 14 Jan 2008 16:24:11 -0500 (EST) (envelope-from mwlucas) Date: Mon, 14 Jan 2008 16:24:11 -0500 From: "Michael W. Lucas" To: Jordi Espasa Clofent Message-ID: <20080114212411.GA18875@bewilderbeast.blackhelicopters.org> References: <478A84DD.3040205@opengea.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <478A84DD.3040205@opengea.org> User-Agent: Mutt/1.4.2.2i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (bewilderbeast.blackhelicopters.org [127.0.0.1]); Mon, 14 Jan 2008 16:24:11 -0500 (EST) Cc: freebsd-security@freebsd.org Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 21:41:36 -0000 On Sun, Jan 13, 2008 at 10:38:37PM +0100, Jordi Espasa Clofent wrote: > Hi all, > > I need to install an anti-rootkid in a lot of servers. I know that > there're several options: tripwire, aide, chkrootkit... > > ?What do you prefer? > > Obviously, I have to define my needs: > > - easy setup and configuration > - actively developed These needs are nice, but what effects do you want to achieve? If you want to verify that nobody's loaded a rootkit, you can use chkrootkit. Note that detecting a running rootkit is actively hard, and is prone to failure. If you want to verify that nobody has changed files on your system, you can use a tripwire-like system. Mtree(1) actually includes tripwire-like functionality, which I've used quite successfully in the past. I think that the latter is more realistic, but that's just my humble opinion. ==ml -- Michael W. Lucas mwlucas@BlackHelicopters.org, mwlucas@FreeBSD.org http://www.BlackHelicopters.org/~mwlucas/ Now Shipping: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."