On Thu, 8 Nov 2001 16:43:43 +0100
"Reto Inversini"
If you want to get additional safety against rootkits, consider installing an IDS on every fresh installed server. If you just want to be sure, that the ps and netstat command have not been touched by an intruder, you could write a script that compares a checksum of these files each time you login to the server. In order to always have clean binaries ready you could also place them somewhere on the server on an unmounted, encrypted partition. But I admit that it is a bit much of work :-)
This is infact basically what the SuSE Security check scripts do.. Among other things, plus suse ships with aide and tripwire.. take your pick, or run all three, however, whatever way you look at it this can ALWAYS be defeated. Even if the entire filesystem was read only, a _good_ hacker could still alter stuff in memory so that to checksums didn't run, or trojan tripwire, in one pen test I simply disabled tripwire, and setup a cron script to mail the last valid report to the admin everyday with a different date. this worked fine for several weeks (until the delivery of the pen test report) There has been SOOOO many threads on this topic on every security mailing list in the world, and basically, if an attacker is good enough, (and you have to assume that they/he is/are) then the ONLY way to be sure of valid files and checksums is to: a) Make a checksum of the entire system before you plug it into a network, and burn these checksums to cd. b) periodically reboot the system from know good media (ie SuSE rescue cd) and compare the checksums against the cdrom copy. Obviously this hurts uptimes :-) but its' the only sure way. Some military installions etc go the the length of running all systems from cdrom (Including NT - This is quite painful btw, I wouldn't recomend it..) Don't be fooled into thinking that you are smarter than the attacker.... -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com