Re: Anti-Rootkit app
Howdy,
> If you want to verify that nobody has changed files on your system,
> you can use a tripwire-like system. Mtree(1) actually includes
> tripwire-like functionality, which I've used quite successfully in the
> past.
>
> I think that the latter is more realistic, but that's just my humble
> opinion.
>
>
The point really is that people expect way too much from Tripwire-style
file integrity checkers. No self respecting rootkit author nowadays
writes anything that is based on replacing system binaries.
Typically, there are KLD based rootkits, or even just ones that live in
memory, which are impossible to catch with this approach. From what I
recall (been ages since I looked into this) chkrootkit and rkhunter do
some basic things to try and detect whether syscalls got hooked, but is
absolutely nothing I would rely on. As Michael has pointed out,
detecting a running rootkit is hard, if not close to impossible, if you
have a skilled attacker (which, granted, is rarely the case).
I'd put more stress on the preventive side of things, use MAC etc., and
just generally monitor your system well, update it, and maintain it
wisely - I think that's effort better spent.
Cheers,
Jan
--
Jan Muenther, CTO Security, n.runs AG
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 7 之 10 篇):