On Mon, 2003-09-22 at 20:42, Benjamin J. Weiss wrote: [snippy snip] > Um...Jason...the CERT training that I went to stated (though I have not > verified it externally) that it is still possible to fool chkrootkit if > you are running it in a "compromised environment". We were taught that > the best way to go is to run it from a "clean" medium, such as knoppix, to > ensure that any of the binaries or LKM's aren't spoofing you. > > I know, you specifically stated that you should use good binaries...but > this is easier and (AFAIK) foolproof...
I'm happy that your CERT training prepared you for small/home-office operations. However, many of us work and exist in environments where carrying around a CD doesn't scale. My suggestion can be quickly and easily performed on remote systems.
Please then - do not use FUD to market your product.
> > > This way you will *ABSOLUTELY KNOW* that you are running a safe version of
> > > chrootkit that will tell you whether or not you've been compromised.
This is misleading, and if the aim is to get people to be more security minded then being misleading is a bad place to start.
its like the various statements that float about
"a personal firewall will protect you !" "a good anti-virus product is all you need to stop computer nasties" "switch to linux, it has no virii !"
I'm sure most of us have heard them over and over, I am also sure that while to some degree it helps the general pleb become slightly more security conscious than your average garden slug, however - it also lulls people into a false sense of security which makes things a _lot_ worse in the long run.
If you are not running this from a known good source then your "tests" are as good as useless - it would take a semi-skilled programmer around 5 seconds to bang out some code to detect and thwart your scanner (ok, maybe half a day :-) ), load this code as a resident module and you immediately have problems and many users will rest easy in the knowledge that they are "safe"
It is standard practice to revert back to a _known_ good state before starting any scans for root kits/back doors/et-al, a good and easy way to do this is to have the boot medium on a read-only device (well, cd-rom seems a good choice) and totally isolated from any form of networking services.
Yes, this is not practical in every instance, and as with personal firewalls, anti-virus scanners and using "different operating systems that are not mainstream" every little bit helps - but PLEASE don't start spreading the same kind of drivel that many marketing plebs out there in the world today do. It makes you and your product look bad to the people that would get the most benefit from your product. (even if you are giving it away)
In a corporate (SME to Large enterprise) scenario I would assume that they already have systems in place to cope with intrusion detection and eradication - including "known good" system configurations for just this purpose.
-- Jason Dixon, RHCE
*sigh* I guess RHCE doesn't delve into the security aspects then eh ?
--
Steve.
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
