Re: rkhunter

From: Jacco (jacco425_at_hotmail.com)
Date: 05/09/05


Date: Sun, 08 May 2005 23:27:48 GMT

On Sun, 08 May 2005 11:45:15 +0200, Jose Maria Lopez Hernandez wrote:

> muxaul@lenta.ru wrote:
>> I don't have rkhunter at hands at the moment but IIRC,
>> the database is owned by root and has 640 options so
>> that it cannot even be read by an ordinary user. If, on
>> the contrary, a cracker gets root's access, you are out
>> of luck anyway.
>
> If you think your system is compromised, the first thing
> you should do is obviously don't trust the security tools
> you have in the system.

So its useless to use it for intrusion detection (i.e. to run it as a cron
job etc)

> You just hook another disk or use
> a CDROM or download the apps you need to check the system.
> So there's no problem with rkhunter, you just have to
> use it right.

But you generally have to suspect your system is compromised before going
to that extent.

> The same thing could be said about any security checking
> tool you have in a systems you think it has been compromised.

Not necessarily. tripwire protects its databases and you can confirm them
by trying your passphrase. Although it doesn't protect its executable you
can set its database up for a "known" filesystem error to ensure its
reading your database.

As well rkhunter could easily be made more secure by having an option to
force a download of the database (even if it is up to date) before running
the scan [A similar idea to your suggestion of downloading the software
each time you want to run it]. Publication on the web of the md5 checksum
of the rkhunter executable itself could help establish if that has
been compromised.

The point to my question is how do you get to the stage where you "think
it has been compromised" if you cannot trust the security tools you use to
check that is has been compromised?

>> Mikhail
>
> Regards.



Relevant Pages

  • Re: rkhunter
    ... > reading your database. ... > As well rkhunter could easily be made more secure by having an option to ... > it has been compromised" if you cannot trust the security tools you use to ...
    (comp.os.linux.security)
  • List of Hashs
    ... I can force rkhunter to ... update it's local database with the hashes found on the local system. ...
    (Ubuntu)
  • Re: am I hacked?
    ... I think that the FC maintainer for rkhunter is no more. ... Soon thereafter, there was a wget package update, and wget was ... then another update of rkhunter's database ...
    (Fedora)
  • Re: rkhunter
    ... I don't have rkhunter at hands at the moment but IIRC, ... the database is owned by root and has 640 options so ...
    (comp.os.linux.security)
  • Re: rkhunter
    ... > intelligent hacker would replace the md5 checksums in the rkhunter ... Save the database files to CDR. ...
    (comp.os.linux.security)