hi

as a noob trying to set up my first 'real' server i'm trying to cover the security angle as far as poss

can anyone walk me through, or point me towards (i've googled but no joy) a step-by-step of how to statically compile chkrootkit and all the required binaries onto a CD so i can periodically check the server for compromise

thanks indeed

neill

There is a security oriented livecd distro called Phlak that might interest you. It includes chrootkit, among other tools.

http://www.phlak.org/modules/news/

Click on the Documentation link, then Phlack Tools, followed by Linux Tools to see what's on the cd.

thanks i'll give it a look

There is also another Live CD distro called BackTrack that may be of interest. I haven't used it myself, but it is the successor to Auditor

BackTrack is the best i have been using it for a long time.If you are interested in security it must be in your colleciton.So many tools and programs can not be found on the net so easily

thanks for that - i've downloaded phlak, backtrack and another security distro called insert

i'm guessing this is what i do ....

leave the distro CD in the server and mount the appropriate locations off it to the server filesystem

something like /mnt/cd/bin or /sbin or wherever they put chrootkit

then i can run /mnt/cd/bin/chrootkit with the appropriate arguments to check the server / (i'll need to figure this all out with some experimentation methinks !!)

i'll get a chance to play next few days and i'll report back how it goes

thanks for the input

neill

variable success

backtrack and insert look like excellent tools, as does nUbuntu which is very similar to backtrack in terms of tools and approach

all the above are designed to be used as live CDs however, and don't reallt suit my purposes

what i'm after is he ability to run chkrootkit from a readonly environment

i understand i can do this either by statically compiling chkrootkit and all the necessary binaries (awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, and uname) on a cd, mounting the directory on my filesystem and then running chkrootkit from there - the logic being that chkrootkit and the binaries are uncorruptable being read only

or i can run chkrootkit with the -p option and just point to the mounted binaries

eg: chkrootkit -p /mnt/path/to/read-only/binaries

see http://www.oreilly.com/pub/h/1406 for the sort of thing i'm trying to do

what i lack is the knowledge how to statically complie the appropriate binaries +/- chkrootkit onto a CD so the above strategy works

on the bright side i'm enjoying myself with backtrack finding all the holes in my LAN !!

neill

the logic being that chkrootkit and the binaries are uncorruptable being read only
If a rootkit is preloaded it may hide processes and files. Static binaries won't help against that, only dissection of the corpse (vs 'Live' system).


what i lack is the knowledge how to statically complie the appropriate binaries
Compiling Chkrootkit helper apps is just adding the -static flag. Busybox can be compiled static using a ./configure --switch recent versions include about everything you need including 'strings' and (iproute2's) 'ip'. The "problem" with Chkrootkit is it may rely on shell specs and switches the Busybox binary doesn't have so you probably need to tweak CRT's source a bit. Should not be impossible though.

OK

i've found some stuff about how to statically compile busybox onto a CD, so i'll try that over the next week (when i get time !!!) and report back

thanks

neill