Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6116

Re: What is the best free HIDS for Debian

From Tomasz Ciolek <tmc@vandradlabs.com.au>
Newsgroups linux.debian.security
Subject Re: What is the best free HIDS for Debian
Date 2022-05-09 01:00 +0200
Message-ID <EkY2C-eboV-5@gated-at.bofh.it> (permalink)
References (5 earlier) <EkQRr-e7eu-3@gated-at.bofh.it> <EkTPj-e92s-19@gated-at.bofh.it> <EkU8F-e98w-5@gated-at.bofh.it> <EkV4K-e9Go-9@gated-at.bofh.it> <EkXzz-ebew-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi All

I have been following this discussion with some interest.

I have few questions, which all go to

1. what behaviour leads the syetem owner/manager to believe that there is a security issue at play here?
2. how old is the syusytem in question?
3. have there been manual tools installs done on the system?
4. Has the system been fully updated/upgraded?
5. have we eliminated other causes of file mismatch - bad/incomplete
updates, corrupted HDD, bad RAM, user error ?
6. finally - does the debcheckroot tool look at the security distribution archive as well as the
main debian archive? There are times where packages are updated in the
security archive, but not reflected in mailine 

Cheers
Tomasz

On Sun, May 08, 2022 at 06:26:51PM -0400, Michael Lazin wrote:
> Rkhunter does find patterns of known rootkits but it also finds indicators
> like memory anomalies like I mentioned and it logs each file change from
> the install, this is why ideally you should install it in a fresh system.
> Thanks.
> 
> Michael Lazin
> 
> On Sun, May 8, 2022 at 3:45 PM <estellnb@elstel.org> wrote:
> 
> > Am 08.05.2022 20:43, schrieb estellnb@elstel.org:
> > > P.S.: A memory only rootkit would still need a hook to reinstall on a
> > > fresh boot.
> >
> >    Yes I know it is an issue. Debcheckroot does f.i. not check you
> > initrd. To fix this issue I would need to program an own piece of
> > software like debcheckinitrd. Anyone who wants to support me can do
> > this: https://www.elstel.org/Contact.html. I am a free developer and I
> > do not get paid for my open source related work.
> >
> -- 
> Michael Lazin
> 
> .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

-- 
Tomasz M. Ciolek	
*******************************************************************************
 tmc at vandradlabs dot com dot au 
*******************************************************************************
   GPG Key ID:		0x830AD092288EF017
   GPG Key Fingerprint: 07DF B95B DB58 57B6 9656  682E 830A D092 288E F017
   Key available on good key-servers
*******************************************************************************

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-02 20:40 +0200
  Re: What is the best free HIDS for Debian Hannes von Haugwitz <hannes@vonhaugwitz.com> - 2022-05-02 21:00 +0200
  Re: What is the best free HIDS for Debian "Dave P." <dprowseus@gmail.com> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian Gianluca Gabrielli <ggabrielli@suse.de> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian "Darren S." <phatbuckett@gmail.com> - 2022-05-02 21:50 +0200
  Re: What is the best free HIDS for Debian mlnl <mlnl@mailbox.org> - 2022-05-03 06:30 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-03 14:40 +0200
    Re: What is the best free HIDS for Debian Jonathan Hutchins <hutchins@tarcanfel.org> - 2022-05-03 15:10 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-03 15:30 +0200
    Re: What is the best free HIDS for Debian Marc Haber <mh+debian-security@zugschlus.de> - 2022-05-04 10:10 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-04 13:40 +0200
    Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:00 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:20 +0200
        Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-08 17:20 +0200
          Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:30 +0200
            Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 20:50 +0200
              Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:50 +0200
                Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:20 +0200
              Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:50 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 00:30 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 01:00 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 10:10 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 12:50 +0200
                Re: What is the best free HIDS for Debian tmc@vandradlabs.com.au - 2022-05-09 13:40 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 14:00 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 15:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:40 +0200
          Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-13 16:30 +0200
            Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-16 12:00 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-16 13:10 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-17 12:00 +0200
      Re: What is the best free HIDS for Debian Vitaly Krasheninnikov <iam@krushik.ru> - 2022-05-10 05:40 +0200
        Re: What is the best free HIDS for Debian Richard van den Berg <richard@vdberg.org> - 2022-05-10 08:40 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-11 17:50 +0200

csiph-web