From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 23:54:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80D7216A417 for ; Mon, 14 Jan 2008 23:54:37 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 10E0D13C468 for ; Mon, 14 Jan 2008 23:54:36 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from [127.0.0.1] (port-212-202-210-187.dynamic.qsc.de [212.202.210.187]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1JEYvf3aEk-0005fI; Tue, 15 Jan 2008 00:41:25 +0100 Message-ID: <478BF315.8020106@nruns.com> Date: Tue, 15 Jan 2008 00:41:09 +0100 From: =?ISO-8859-1?Q?Jan_M=FCnther?= User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: "Michael W. Lucas" References: <478A84DD.3040205@opengea.org> <20080114212411.GA18875@bewilderbeast.blackhelicopters.org> In-Reply-To: <20080114212411.GA18875@bewilderbeast.blackhelicopters.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX18Om8v7jKSLAQBPDJjIRCkQty73hPbEnUBbo7O n/fy72zA8MrF26i7Ifggp0yAv8XocN5HQ93p4GbW8xZlgzVA52 ao9E8b9OS3RxmBQj0TZsb2VjhZE6k7fi/a+5pw/ja8= Cc: freebsd-security@freebsd.org, Jordi Espasa Clofent Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 23:54:37 -0000 Howdy, > If you want to verify that nobody has changed files on your system, > you can use a tripwire-like system. Mtree(1) actually includes > tripwire-like functionality, which I've used quite successfully in the > past. > > I think that the latter is more realistic, but that's just my humble > opinion. > > The point really is that people expect way too much from Tripwire-style file integrity checkers. No self respecting rootkit author nowadays writes anything that is based on replacing system binaries. Typically, there are KLD based rootkits, or even just ones that live in memory, which are impossible to catch with this approach. From what I recall (been ages since I looked into this) chkrootkit and rkhunter do some basic things to try and detect whether syscalls got hooked, but is absolutely nothing I would rely on. As Michael has pointed out, detecting a running rootkit is hard, if not close to impossible, if you have a skilled attacker (which, granted, is rarely the case). I'd put more stress on the preventive side of things, use MAC etc., and just generally monitor your system well, update it, and maintain it wisely - I think that's effort better spent. Cheers, Jan -- Jan Muenther, CTO Security, n.runs AG