Hi list, i have downloaded chkrootkit, check_ps and rkdet, but i have a hard time in figuring out how (best) to use them. As far as you don't see your own security compromised, i'd like to know some of your thoughts or configurations of these tools... 1 - are any of the tools redundant and can be dropped (i think i understood that the functionality of check_ps is provided by chkrootkit as well which does even more...)? 2 - is any anti-rootkit tool missing (not speaking of tripwire etc.)? 3 - which of the tools should i have running deamonized? 4 - which files should i protect/have watched by rkdet? 5 - what do you think of the idea of creating and regularly running a customized shellscript that would unzip the tools plus a set of trusted binaries and then uses these instead of the always-installed ones? But that would mean i had to make special setups/'make install's, wouldn't it? and it wouldn't work with resident tools (rkdet) at all, right? and so on, i could go on asking for hours, but i'll appreciate just about any help. TIA, Andreas -- To know recursion, you must first know recursion. -- My Public PGP Keys: 1024 Bit DH/DSS: 0x869F81BA 768 Bit RSA: 0x1AD97BA5
On Saturday 03 May 2003 18:19, Andreas Wagner wrote:
.... 5 - what do you think of the idea of creating and regularly running a customized shellscript that would unzip the tools plus a set of trusted binaries and then uses these instead of the always-installed ones? But that would mean i had to make special setups/'make install's, wouldn't it? and it wouldn't work with resident tools (rkdet) at all, right? .....
Perharps it's more easy, and more secure to run your trustred binaries from a CD. Sure anybody can't touch your code, config's, etc . ;-) Regards, Pedro
Am Samstag, 3. Mai 2003 19:35 schrieb Pedro Cáliz:
On Saturday 03 May 2003 18:19, Andreas Wagner wrote:
.... 5 - what do you think of the idea of creating and regularly running a customized shellscript that would unzip the tools plus a set of trusted binaries and then uses these instead of the always-installed ones? But that would mean i had to make special setups/'make install's, wouldn't it? and it wouldn't work with resident tools (rkdet) at all, right? .....
Perharps it's more easy, and more secure to run your trustred binaries from a CD. Sure anybody can't touch your code, config's, etc . ;-)
if someone needs stuff like that take a look at http://www.gibraltar.at/ which provides a firewall/router running completely from mechanically write protected media.
Regards,
Pedro
Ciao Michael
Hello Pedro, hello list, * Pedro Cáliz wrote on May/03/2003:
5 - what do you think of the idea of creating and regularly running a customized shellscript that would unzip the tools plus a set of trusted binaries and then uses these instead of the always-installed ones? But that would mean i had to make special setups/'make install's, wouldn't it? and it wouldn't work with resident tools (rkdet) at all, right?
Perharps it's more easy, and more secure to run your trustred binaries from a CD. Sure anybody can't touch your code, config's, etc . ;-)
Yes, i'm aware of that this is the usual way to handle it. I just thought that a local bzip2 archive would a) be easier to handle/update and b) wouldn't require me to worry about having the correct CD in the drive at the right time... BTW, i am trying to set this up on my home-/notebook-system which i am also using for my day-to-day work, so running this machine as a dedicated firewall/router is not an option. (Basically i am doing these security things to get used to them in order to maybe later use them at work...) Cheers, Andreas -- He who laughs last is at 300 baud. -- My Public PGP Keys: 1024 Bit DH/DSS: 0x869F81BA 768 Bit RSA: 0x1AD97BA5
On Sunday 04 May 2003 11:48, Andreas Wagner wrote:
.... BTW, i am trying to set this up on my home-/notebook-system which i am also using for my day-to-day work, ....
Depending on the volume you need for that, perhaps it's interesting to think about a write-protected flash mem. module. It's possible too to have executables compressed with 'upx', so you can execute it directly without the need of uncompress it to the hard disk. Regards, Pedro
participants (3)
-
Andreas Wagner -
Michael Karges -
Pedro Cáliz