Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6111

Re: What is the best free HIDS for Debian

Path csiph.com!1.us.feeder.erje.net!3.us.feeder.erje.net!3.eu.feeder.erje.net!feeder.erje.net!news2.arglkargh.de!news.mixmin.net!aioe.org!bofh.it!news.nic.it!robomod
From estellnb@elstel.org
Newsgroups linux.debian.security
Subject Re: What is the best free HIDS for Debian
Date Sun, 08 May 2022 20:50:01 +0200
Message-ID <EkU8F-e98w-5@gated-at.bofh.it> (permalink)
References <EiJ7H-cKEs-3@gated-at.bofh.it> <Ejlwl-d9mK-1@gated-at.bofh.it> <Ek6EV-dDUf-5@gated-at.bofh.it> <Ek6Yh-dEgS-3@gated-at.bofh.it> <EkQRr-e7eu-5@gated-at.bofh.it> <EkQRr-e7eu-3@gated-at.bofh.it> <EkTPj-e92s-19@gated-at.bofh.it>
X-Mailbox-Line From debian-security-request@lists.debian.org Sun May 8 18:43:36 2022
Old-Return-Path <estellnb@elstel.org>
X-Amavis-Spam-Status No, score=-7.809 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_LOW=-0.7, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
X-Policyd-Weight using cached result; rate:hard: -5.5
MIME-Version 1.0
User-Agent dotplex Roundcube Webmail
X-Sender estellnb@elstel.org
Content-Type text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding 7bit
X-Mailing-List <debian-security@lists.debian.org> archive/latest/29263
List-ID <debian-security.lists.debian.org>
List-URL <https://lists.debian.org/debian-security/>
List-Archive https://lists.debian.org/msgid-search/3269f6ada90bb33d1a672932ff4afc82@elstel.org
Approved robomod@news.nic.it
Lines 25
Organization linux.* mail to news gateway
Sender robomod@news.nic.it
X-Original-Cc debian-security@lists.debian.org
X-Original-Date Sun, 08 May 2022 20:43:21 +0200
X-Original-Message-ID <3269f6ada90bb33d1a672932ff4afc82@elstel.org>
X-Original-References <62701ec7$0$18715$426a34cc@news.free.fr> <627260e6$0$24819$426a74cc@news.free.fr> <7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <42898050-0dea-3cfb-3462-0a58452182e5@elstel.org> <Ek6Yh-dEgS-3@gated-at.bofh.it> <6277d936$0$22287$426a74cc@news.free.fr> <CALdcr8d8tq49E2+UE1khcb5YKKJP+FWTiLtnObQ7L5+afFJwxg@mail.gmail.com>
Xref csiph.com linux.debian.security:6111

Show key headers only | View raw

Am 08.05.22 um 20:21 schrieb Michael Lazin:> I think if you have a root 
kit it is very unlikely to get rid of it
> without backing up and reimaging but you may be able to achieve it if
> you try first rkhunter and second apparmor which is similar to selinux
> which was developed by the nsa and made accessible as a Red Hat
> package.  Both solutions have the ability to limit what root can do and
> is your only real option for saving a rooted system.  It is important
> that if you try this that you dump your memory rkunter picks up a 
> memory
> anomaly.  Fileless malware is popular among sophisticated threat actors
> and rkhunter is equipped to find malware that resides in memory.
> Apparmor is included in Debian.
> 
> Thanks,
> Michael Lazin
   Yes, it would be really interesting if rkhunter has also found the 
rootkit. If it was developed by the NSA, I am sure it would not find a 
rootkit used by the NSA. To my knowledge Apparmor was first developed as 
part of openSUSE. I can remember having filed them a report with the 
quest to keep Apparmor as it is more easy to use than SELinux.

Elmar

P.S.: A memory only rootkit would still need a hook to reinstall on a 
fresh boot.

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-02 20:40 +0200
  Re: What is the best free HIDS for Debian Hannes von Haugwitz <hannes@vonhaugwitz.com> - 2022-05-02 21:00 +0200
  Re: What is the best free HIDS for Debian "Dave P." <dprowseus@gmail.com> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian Gianluca Gabrielli <ggabrielli@suse.de> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian "Darren S." <phatbuckett@gmail.com> - 2022-05-02 21:50 +0200
  Re: What is the best free HIDS for Debian mlnl <mlnl@mailbox.org> - 2022-05-03 06:30 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-03 14:40 +0200
    Re: What is the best free HIDS for Debian Jonathan Hutchins <hutchins@tarcanfel.org> - 2022-05-03 15:10 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-03 15:30 +0200
    Re: What is the best free HIDS for Debian Marc Haber <mh+debian-security@zugschlus.de> - 2022-05-04 10:10 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-04 13:40 +0200
    Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:00 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:20 +0200
        Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-08 17:20 +0200
          Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:30 +0200
            Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 20:50 +0200
              Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:50 +0200
                Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:20 +0200
              Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:50 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 00:30 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 01:00 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 10:10 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 12:50 +0200
                Re: What is the best free HIDS for Debian tmc@vandradlabs.com.au - 2022-05-09 13:40 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 14:00 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 15:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:40 +0200
          Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-13 16:30 +0200
            Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-16 12:00 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-16 13:10 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-17 12:00 +0200
      Re: What is the best free HIDS for Debian Vitaly Krasheninnikov <iam@krushik.ru> - 2022-05-10 05:40 +0200
        Re: What is the best free HIDS for Debian Richard van den Berg <richard@vdberg.org> - 2022-05-10 08:40 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-11 17:50 +0200

csiph-web