Hello, n00b here,
Would it be a good idea to extend rkhunter to
check for changes to the BIOS since last time rkhunter
was run ?
For example, each time rkhunter is run, make a copy
of the BIOS and BIOS settings to files. Then check
if a previous set of files exists (from a previous
run of rkhunter), and then warn if the two sets are
different. It would be especially suspicious if the
contents of BIOS had changed but the version number
had not changed.
In Linux, do "sudo grep ROM /proc/iomem". If it
returns "000f0000-000fffff : System ROM", you can read BIOS via
"sudo dd if=/dev/mem of=pcbios.bin bs=64k skip=15 count=1 # 15*64k + 64k"
or "sudo dd if=/dev/mem of=pcbios.bin bs=1k skip=960 count=64".
In Linux, "sudo dmidecode" and then look at "BIOS Information" section ?
Maybe this is vendor-specific.
In Linux, also copy from /dev/microcode and monitor that too.
Thanks,
Bill Dietrich [email protected] https://www.billdietrich.me/
PGP public key available at
https://api.protonmail.ch/pks/lookup?op=get&search=[[email protected]](mailto:[email protected])
Sent with [ProtonMail](https://protonmail.com) Secure Email.
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
