Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-14-2007, 08:49 PM
|
#1
|
LQ Newbie
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23
Rep:
|
what one is better chkrootkit or rkhunter
I run chkrootkit, rkhunter I was reading its better to run rkhunter on a floppy I don't know if this is true or not
or can you use both? I assume you can! it's look's to me they both do the same thing...
|
|
|
04-15-2007, 03:02 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
//Moved post to new thread. Please don't tack on to exisiting threads if your questions do not address the OP's questions.
Generally speaking (and I mean very generally speaking) Chkrootkit (CRT) and Rootkit Hunter (RKH) both are host-based, passive, post-incident auditing tools meant to check for signs of malicious activity. While they have some in common, they have different features. Best compare CRT with RKH-s upcoming 1.3.0 release: see RKH's CVS at Sourceforge, since a lot will change (and I do mean a *lot*). Running any audit tool from a LiveCD is a "best practice" approach when the target system is suspected tampered with or outright can't be trusted. I also added a short doc to the 1.3.0 branch about runing RKH with Webjob. While it's usage doesn't seem that widespread it could be used as an alternative to running a LiveCD in some situations. Running both CRT and RKH causes some overlap in tests but isn't bad since it allows for a second opinion which in some cases can be a good thing. Finally don't forget running CRT or RKH alone does *not* constitute proper system hardening or system auditing. There's more you need to do. See the LQ FAQ: Security references for more nfo.
|
|
|
04-15-2007, 12:54 PM
|
#3
|
Member
Registered: Mar 2007
Posts: 119
Rep:
|
Run both.
It is hard to determine which is better than the other, it does not make much sense when we are dealing with only two fairly full featured root kit finders. If there are things that don't fall into the intersection of the two (or more) then you will want to run those that give you the largest collection of hits.
If there were a hundred then it might make sense to to compare and contrast to find the optimum speed against maximum detection. Still, things tend to niche at that point, and you will have to make comparison depending upon your position.
|
|
|
04-16-2007, 01:57 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by Zention
It is hard to determine which is better than the other, it does not make much sense when we are dealing with only two fairly full featured root kit finders.
|
No it's not hard. It just takes knowledge and time. BTW, there's two more tools in the field I know of: OSSEC and Zeppoo.
Quote:
Originally Posted by Zention
If there are things that don't fall into the intersection of the two (or more) then you will want to run those that give you the largest collection of hits.
|
The amount of "hits" is of lesser consequence than the accuracy IMNSHO, and having a large amount of "hits" doesn't imply greater accuracy. RKH can generate a fair amount of FP's, and CRT's chkproc will sometimes generate FP's too. FP's are for the user to verify.
Quote:
Originally Posted by Zention
If there were a hundred then it might make sense to to compare and contrast to find the optimum speed against maximum detection. Still, things tend to niche at that point, and you will have to make comparison depending upon your position.
|
I think it's too easy to say "make comparison depending upon your position". How about some solid criteria?
|
|
|
04-16-2007, 01:18 PM
|
#5
|
Member
Registered: Mar 2007
Posts: 119
Rep:
|
Quote:
I think it's too easy to say "make comparison depending upon your position". How about some solid criteria?
|
On what, some theoretical time in the future where there are 100 or so rootkit checkers?
The idea of the niche will probably show in appliance, so say you have a rootkit checker designed for a web server, or a handheld or mobile phone, they will be similar probably feeding off a couple of centralized vulnerability sources, but purposed optimally for the environment.
Quote:
No it's not hard. It just takes knowledge and time. BTW, there's two more tools in the field I know of: OSSEC and Zeppoo.
|
And yet you don't make a comparison
The question was:
what one is better chkrootkit or rkhunter
There is only two there?
The question was not:
what is the best root kit checker?
Quote:
The amount of "hits" is of lesser consequence than the accuracy IMNSHO, and having a large amount of "hits" doesn't imply greater accuracy. RKH can generate a fair amount of FP's, and CRT's chkproc will sometimes generate FP's too. FP's are for the user to verify.
|
Hits was not quoted (") by me, hits mean just that hits, not misses or false positives, those are both misses, false positives being the worse miss. Hits can be thought of as ambiguous, but in the context of what I said was in determining vulnerability detection set size. Taking your idea that a hit is anything, 'oh look he hit some air to the right of the target' we get absurd comments like that. A hit is if you hit the target not if you miss it.
Anyway, my position stands it is very very hard to determine which is best, not only is it a moving target, the vulnerability catchment will differ, and that is the thing you are mainly interested in.
It is a good thing at least two fully featured root kit detectors exist, they act as a failsafe for each other, so looking to see which is best is not that productive (not only being hard to determine, you do want to use both) and that is the essence of my point.
Last edited by Zention; 04-16-2007 at 01:24 PM.
|
|
|
04-16-2007, 05:06 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
All I asked you was to clarify, for the benefit of the OP, by adding objective criteria instead of unloading back onto him. Maybe brush up on your practical knowledge of GNU/Linux-based rootkits and detection methods first though.
|
|
|
04-16-2007, 07:24 PM
|
#7
|
Member
Registered: Mar 2007
Posts: 119
Rep:
|
>>> All I asked you was to clarify, for the benefit of the OP, by adding objective criteria instead of unloading back onto him. Maybe brush up on your practical knowledge of GNU/Linux-based rootkits and detection methods first though.
You didn't actually, but you are free to do the same.
|
|
|
04-16-2007, 10:17 PM
|
#8
|
LQ Newbie
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23
Original Poster
Rep:
|
unSpawn thank you I will check out Sourceforge
Zention thank you as well
|
|
|
All times are GMT -5. The time now is 12:38 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|