LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-08-2010, 01:56 PM   #1
kaplan71
Member
 
Registered: Nov 2003
Posts: 809

Rep: Reputation: 39
Chkrootkit versus Rootkit Hunter


Hi there --

I am going through the motions of testing the checkrootkit and rootkit hunter applications on one of our servers. I wanted to get feedback from those who know both as to which of the two is better at 'sniffing' out rootkits.

Alternatively, can both be installed without their interfering with the other?

Thanks.
 
Old 06-08-2010, 02:16 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Security starts at O.S. install-time via post-install hardening to regularly auditing. Postmortem, single-purpose tools like Chkrootkit or Rootkit Hunter have their place in this but they are not all-encompassing or without flaws or blind spots. Deploying a minimal array of tools comprising of like Samhain, GNU/Tiger, Chkrootkit, Rootkit Hunter is efficient, allows for some overlap, is easily accomplished and these tools coexist without problems.
 
Old 06-09-2010, 09:12 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
As far as the "which of the two is better" part of your question is concerned there's a few things to compare. Before you get into that realize that no postmortem rootkit detection works if the system is subverted. That's the reason I pointed to post-install hardening and regular auditing as being crucial. While I'm obviously involved with Rootkit Hunter I like to think I can still look at Chkrootkit, the 'rootcheck' v2.4 part of OSSEC-HIDS and Rootkit Hunter in an unbiased way. If anyone finds any omissions, errors or traces of bias don't hesitate to correct me:

CRT:
latest is 0.49 30/07/2009
CVS: (unknown)
latest commit: unknown
CVS tarball: no
bug tracker: unknown
mailing list: no (crt-users is stale)
CVE: (none)
D/L: unknown
Rootkit and worm names: 63
Deploy without installation: yes
Deploy without compiling: no (misses tools)
Requires configuring: no
False positives: rare (from running and looking at questions in fora)
Consists of one binary or script: no
Uses 3rd party tools: no (only supplied)

OSSEC rootcheck:
latest is 2.4.1 01/04/2010
CVS: (404)
latest commit: unknown
CVS tarball: unknown
bug tracker: UserVoice
mailing list: yes (ossec-list), active
CVE: (none)
D/L: "more than 5,000 downloads per month on average"
Rootkit and worm names: 59
Deploy without installation: no
Deploy without compiling: no
Requires configuring: no (I think)
False positives: (unknown)
Consists of one binary or script: no
Uses 3rd party tools: none

RKH:
latest is 1.3.6 29/11/2009
CVS: Sourceforge
latest commit: Feb 2010
CVS tarball: yes
bug tracker: Sourceforge
mailing list: yes (rkhunter-users), active
CVE: CVE-2005-1270, CVE-2008-4982
D/L: 1,500 per month average
Rootkit and worm names: 79
Deploy without installation: yes
Deploy without compiling: yes
Requires configuring: yes.
False positives: without configuration, out-of-the-box: yes.
Consists of one binary or script: no
Uses 3rd party tools: yes

//That's all I have time for now, I may add more later on.
 
1 members found this post helpful.
Old 06-09-2010, 01:08 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Now that is interesting. Especially since I'll be choosing between rkhunter (which I've used) and OSSEC (which I've not used) to deploy to a group of production servers soon.

I bolted together my own distributed HIDS (using AIDE, openssl, and shell scripts), and I may do the same sort of thing with rkhunter (for additional sanity checks).
 
Old 06-10-2010, 03:37 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Personally I'd say my post #2 is more important: the more time and effort you spend hardening the machine and setting up auditing, the less anomalies you should have to chase.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rootkit hunter false positive for Xzibit Rootkit on CentOS 4.8? abefroman Linux - Security 2 12-20-2009 08:19 AM
Chkrootkit and Rootkit Hunter warnings? zoran119 Slackware 3 01-20-2009 01:52 PM
rootkit hunter fakie_flip Linux - Software 1 10-20-2007 02:41 PM
Rootkit Hunter: looking for C++ developers unSpawn Linux - Security 0 07-26-2006 08:03 AM
Rootkit hunter question NNP Linux - Security 1 07-03-2005 06:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration