Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am going through the motions of testing the checkrootkit and rootkit hunter applications on one of our servers. I wanted to get feedback from those who know both as to which of the two is better at 'sniffing' out rootkits.
Alternatively, can both be installed without their interfering with the other?
Security starts at O.S. install-time via post-install hardening to regularly auditing. Postmortem, single-purpose tools like Chkrootkit or Rootkit Hunter have their place in this but they are not all-encompassing or without flaws or blind spots. Deploying a minimal array of tools comprising of like Samhain, GNU/Tiger, Chkrootkit, Rootkit Hunter is efficient, allows for some overlap, is easily accomplished and these tools coexist without problems.
As far as the "which of the two is better" part of your question is concerned there's a few things to compare. Before you get into that realize that no postmortem rootkit detection works if the system is subverted. That's the reason I pointed to post-install hardening and regular auditing as being crucial. While I'm obviously involved with Rootkit Hunter I like to think I can still look at Chkrootkit, the 'rootcheck' v2.4 part of OSSEC-HIDS and Rootkit Hunter in an unbiased way. If anyone finds any omissions, errors or traces of bias don't hesitate to correct me:
CRT:
latest is 0.49 30/07/2009
CVS: (unknown)
latest commit: unknown
CVS tarball: no
bug tracker: unknown
mailing list: no (crt-users is stale)
CVE: (none)
D/L: unknown
Rootkit and worm names: 63
Deploy without installation: yes
Deploy without compiling: no (misses tools)
Requires configuring: no
False positives: rare (from running and looking at questions in fora)
Consists of one binary or script: no
Uses 3rd party tools: no (only supplied)
OSSEC rootcheck:
latest is 2.4.1 01/04/2010
CVS: (404)
latest commit: unknown
CVS tarball: unknown
bug tracker: UserVoice
mailing list: yes (ossec-list), active
CVE: (none)
D/L: "more than 5,000 downloads per month on average"
Rootkit and worm names: 59
Deploy without installation: no
Deploy without compiling: no
Requires configuring: no (I think)
False positives: (unknown)
Consists of one binary or script: no
Uses 3rd party tools: none
RKH:
latest is 1.3.6 29/11/2009
CVS: Sourceforge
latest commit: Feb 2010
CVS tarball: yes
bug tracker: Sourceforge
mailing list: yes (rkhunter-users), active
CVE: CVE-2005-1270, CVE-2008-4982
D/L: 1,500 per month average
Rootkit and worm names: 79
Deploy without installation: yes
Deploy without compiling: yes
Requires configuring: yes.
False positives: without configuration, out-of-the-box: yes.
Consists of one binary or script: no
Uses 3rd party tools: yes
//That's all I have time for now, I may add more later on.
Now that is interesting. Especially since I'll be choosing between rkhunter (which I've used) and OSSEC (which I've not used) to deploy to a group of production servers soon.
I bolted together my own distributed HIDS (using AIDE, openssl, and shell scripts), and I may do the same sort of thing with rkhunter (for additional sanity checks).
Personally I'd say my post #2 is more important: the more time and effort you spend hardening the machine and setting up auditing, the less anomalies you should have to chase.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.