Re: [Rkhunter-users] Still under support?
Brought to you by:
dogsbody
From: r3doubt <r3...@r3...> - 2024-03-13 00:17:41
|
I have found rkhunter useful, especially for quick triage or auditing and hardening to create a baseline configuration. I wouldn't rely on static signatures for any sort of malware analysis or DFIR, regardless of OS or product. For a continuous monitoring EDR use case, I would recommend two free and open-source solutions, as an alternative to commercial offerings. I have found OSQuery to be a pretty useful tool on MacOS and Linux, giving me some of the same EDR via native logs I get using Sysmon and Windows Event Logs on Windows boxes. For dealing with "live off the land" style intrusions, this type of data is crucial for EDR. OSQuery will look at things like syslog, but will limit the info reported to a DIF on changes to certain logs or settings which are stored in SQL style relational DB. You can set custom monitoring in a syntax similar to SQL. I've been a "certified product engineer" for major vendors, and even contributed to some of their work on things like security orchestration, but you can't "buy" security, regardless of the product, comes down to putting in the work. You can also install an instance of Security Onion, and run it as either a distributed instance for enterprise use, or in the standalone mode for the student, hobbyist, SoHo network. It can be set to pull your native logs from Linux, and do a lot of ingest and normalization for you, giving you a pretty nice dashboard and SOC environment based in Kibana (it runs on ELK stack). It can also work, out of the box, with OSQuery on your Linux endpoints. Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all put out various public hardening guides and even open-sourced auditing and hardening scripts for Linux / Unix systems to help automate configurations. -R3doubt On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <mic...@gm...> wrote: > Commercial EDR solutions like SentinelOne and Crowdstrike are better for > business users who need protection against advanced threat actors, I know > both use AWS IP addresses to report to an AI backend. The AI engine is > really just using statistical analysis. Chkrootkit is another free > offering but I think rkhunter is better as far as free tools. > > Michael Lazin > > .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. > > > On Tue, Mar 12, 2024 at 6:25 PM <cal...@fa...> wrote: > >> What are people using instead? >> _______________________________________________ >> Rkhunter-users mailing list >> Rkh...@li... >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |