Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6120

Re: What is the best free HIDS for Debian

From Elmar Stellnberger <estellnb@elstel.org>
Newsgroups linux.debian.security
Subject Re: What is the best free HIDS for Debian
Date 2022-05-09 14:00 +0200
Message-ID <Eladr-ejCA-7@gated-at.bofh.it> (permalink)
References (8 earlier) <EkV4K-e9Go-9@gated-at.bofh.it> <EkXzz-ebew-3@gated-at.bofh.it> <EkY2C-eboV-5@gated-at.bofh.it> <El6CR-ehI2-1@gated-at.bofh.it> <El9U5-ejwj-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw


Am 09.05.22 um 13:34 schrieb tmc@vandradlabs.com.au:
> 
> 
> On 2022-05-09 18:04, Elmar Stellnberger wrote:
>> Am 09.05.22 um 00:48 schrieb Tomasz Ciolek:
>>> 5. have we eliminated other causes of file mismatch - bad/incomplete
>>> updates, corrupted HDD, bad RAM, user error ?
>>
>>   If exactly such files have been changed where there is reason to
>> manipulate them for a rootkit then one shall assume unequivocally that
>> there is a rootkit installed. With bad RAM you get a system crash and
>> with a physically bad hard disk you get filesystem errors on fsck,

   Yes, bad cache ram written on a hard disk can at least by theory 
result in corrupted files on disk. If you read what I have written then 
you see my argument that then the whole program would have become 
unusable which is not the case for our example. Also I want to add that 
bad ram just causing file corruptions but no crash is somewhat very 
unlikely.

> 
> Not always true. I have experienced what looked like creeping file 
> system corruption that was
> in the end tracked down to bad RAM. it only occred under heavy load when 
> RAM was over-utilised
> and then swapped out.

   As said, I don´t really believe on what you tell here. By theory 
non-ECC ram can have errors, but these are very rare. Damaged ram on the 
other hand is damaged independent of the system load and it usually 
causes more severe/obvious effects. The probability that a corrupt ram 
block affects only block data but no kernel data structures is not that 
high as these tend to be interleaved.

> 
>> none of which you get with a rootkit where only certain files have
>> been manipulated intentionally. A broken update could theoretically
>> result in a singleton file of half the size. Usually running programs
> 
> again I have seen bad/partial

   An update can only leave a partial file that is a prefix of an 
original file, never a corrupted one. That is, if you read, what I have 
told. All modern Linux filesystems use journalling and there will be no 
corruption like eventually on old Windows machines.

 > I would want to see more info9rmationa botu what diagnostics were
 > done before I cry rootkit.
 >

   You are one of the people who want to tell people that they are not 
infected by a rootkit, when they obviously are. My recommendation for 
everyone is, care not to trust such people!
   Besides this I have requested Sylvain to collect more information, as 
this can still be interesting.

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-02 20:40 +0200
  Re: What is the best free HIDS for Debian Hannes von Haugwitz <hannes@vonhaugwitz.com> - 2022-05-02 21:00 +0200
  Re: What is the best free HIDS for Debian "Dave P." <dprowseus@gmail.com> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian Gianluca Gabrielli <ggabrielli@suse.de> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian "Darren S." <phatbuckett@gmail.com> - 2022-05-02 21:50 +0200
  Re: What is the best free HIDS for Debian mlnl <mlnl@mailbox.org> - 2022-05-03 06:30 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-03 14:40 +0200
    Re: What is the best free HIDS for Debian Jonathan Hutchins <hutchins@tarcanfel.org> - 2022-05-03 15:10 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-03 15:30 +0200
    Re: What is the best free HIDS for Debian Marc Haber <mh+debian-security@zugschlus.de> - 2022-05-04 10:10 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-04 13:40 +0200
    Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:00 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:20 +0200
        Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-08 17:20 +0200
          Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:30 +0200
            Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 20:50 +0200
              Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:50 +0200
                Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:20 +0200
              Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:50 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 00:30 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 01:00 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 10:10 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 12:50 +0200
                Re: What is the best free HIDS for Debian tmc@vandradlabs.com.au - 2022-05-09 13:40 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 14:00 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 15:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:40 +0200
          Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-13 16:30 +0200
            Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-16 12:00 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-16 13:10 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-17 12:00 +0200
      Re: What is the best free HIDS for Debian Vitaly Krasheninnikov <iam@krushik.ru> - 2022-05-10 05:40 +0200
        Re: What is the best free HIDS for Debian Richard van den Berg <richard@vdberg.org> - 2022-05-10 08:40 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-11 17:50 +0200

csiph-web