I've used rkhunter for quite some time & have found it useful,
but do use a number of other things as well. Much home grown.
As to support, I've reported a bug via the Fedora bugzilla &
it was fixed.
2020/06/27 - sshd_config -
https://bugzilla.redhat.com/show_bug.cgi?id=1851620
and one that had already been fixed (use of egrep) but these were triggered by
changes in the way sshd config files were arranged & egrep was being
discouraged in favour or grep -E (same for fgrep/grep -F ...) & stray escapes.
If you look at,
https://sourceforge.net/p/rkhunter/bugs/
there are the open bugs. Pick one & fix it
Likely the maintainer needs help, which means some young blood.
But as I recall from many years ago before I retired, young blood
actually caused me too many problems explaining why certain code was the way
it was from 30 years before & that if they wanted to rewrite something from
scratch that worked be my guest... they soon lost interest sadly.
Look at the user profiles of the maintainers, particularly, jhorne the
primary maintainer) & the comments there, as well as comments on many of the
open bugs.
Also jhorne's activity to see what was done & the needs...
John Horne: It appears both dogsbody & unspawn are no longer involved/responding
is that right?
I thought I'd look at doing something from the rkhunter bug list & picked the
oldest bug, permissions on rkhunter tmp files (I realise I need a longer life
expectancy, less grandchildren & slightly less travel addicted travel partner)
but as a suggestion would a start on that not be a much more restrictive
umask? (& see if Christoph Anton Mitterer <[email protected]> is happy
with that - as he submitted it in 2010! ;-)
Cheers
John
On Tue, 2024-03-12 at 19:50 -0400, r3doubt wrote:
> I have found rkhunter useful, especially for quick triage or auditing and
> hardening to create a baseline configuration. I wouldn't rely on static
> signatures for any sort of malware analysis or DFIR, regardless of OS or
> product.
>
> For a continuous monitoring EDR use case, I would recommend two free and open-
> source solutions, as an alternative to commercial offerings. I have found
> OSQuery to be a pretty useful tool on MacOS and Linux, giving me some of the
> same EDR via native logs I get using Sysmon and Windows Event Logs on Windows
> boxes. For dealing with "live off the land" style intrusions, this type of
> data is crucial for EDR. OSQuery will look at things like syslog, but will
> limit the info reported to a DIF on changes to certain logs or settings which
> are stored in SQL style relational DB. You can set custom monitoring in a
> syntax similar to SQL. I've been a "certified product engineer" for major
> vendors, and even contributed to some of their work on things like security
> orchestration, but you can't "buy" security, regardless of the product, comes
> down to putting in the work.
>
> You can also install an instance of Security Onion, and run it as either a
> distributed instance for enterprise use, or in the standalone mode for the
> student, hobbyist, SoHo network. It can be set to pull your native logs from
> Linux, and do a lot of ingest and normalization for you, giving you a pretty
> nice dashboard and SOC environment based in Kibana (it runs on ELK stack). It
> can also work, out of the box, with OSQuery on your Linux endpoints.
>
> Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all put
> out various public hardening guides and even open-sourced auditing and
> hardening scripts for Linux / Unix systems to help automate configurations.
>
> -R3doubt
>
> On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <[email protected]> wrote:
> > Commercial EDR solutions like SentinelOne and Crowdstrike are better for
> > business users who need protection against advanced threat actors, I know
> > both use AWS IP addresses to report to an AI backend. The AI engine is
> > really just using statistical analysis. Chkrootkit is another free offering
> > but I think rkhunter is better as far as free tools.
> >
> > Michael Lazin
> >
> > .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
> >
> >
> > On Tue, Mar 12, 2024 at 6:25 PM <[email protected]> wrote:
> > > What are people using instead?
> > > _______________________________________________
> > > Rkhunter-users mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users
> > _______________________________________________
> > Rkhunter-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/rkhunter-users
> _______________________________________________
> Rkhunter-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
