Re: [Rkhunter-users] Still under support?
Brought to you by:
dogsbody
From: <jwa...@gm...> - 2024-03-16 05:15:29
|
I've used rkhunter for quite some time & have found it useful, but do use a number of other things as well. Much home grown. As to support, I've reported a bug via the Fedora bugzilla & it was fixed. 2020/06/27 - sshd_config - https://bugzilla.redhat.com/show_bug.cgi?id=1851620 and one that had already been fixed (use of egrep) but these were triggered by changes in the way sshd config files were arranged & egrep was being discouraged in favour or grep -E (same for fgrep/grep -F ...) & stray escapes. If you look at, https://sourceforge.net/p/rkhunter/bugs/ there are the open bugs. Pick one & fix it Likely the maintainer needs help, which means some young blood. But as I recall from many years ago before I retired, young blood actually caused me too many problems explaining why certain code was the way it was from 30 years before & that if they wanted to rewrite something from scratch that worked be my guest... they soon lost interest sadly. Look at the user profiles of the maintainers, particularly, jhorne the primary maintainer) & the comments there, as well as comments on many of the open bugs. Also jhorne's activity to see what was done & the needs... John Horne: It appears both dogsbody & unspawn are no longer involved/responding is that right? I thought I'd look at doing something from the rkhunter bug list & picked the oldest bug, permissions on rkhunter tmp files (I realise I need a longer life expectancy, less grandchildren & slightly less travel addicted travel partner) but as a suggestion would a start on that not be a much more restrictive umask? (& see if Christoph Anton Mitterer <cal...@sc...> is happy with that - as he submitted it in 2010! ;-) Cheers John On Tue, 2024-03-12 at 19:50 -0400, r3doubt wrote: > I have found rkhunter useful, especially for quick triage or auditing and > hardening to create a baseline configuration. I wouldn't rely on static > signatures for any sort of malware analysis or DFIR, regardless of OS or > product. > > For a continuous monitoring EDR use case, I would recommend two free and open- > source solutions, as an alternative to commercial offerings. I have found > OSQuery to be a pretty useful tool on MacOS and Linux, giving me some of the > same EDR via native logs I get using Sysmon and Windows Event Logs on Windows > boxes. For dealing with "live off the land" style intrusions, this type of > data is crucial for EDR. OSQuery will look at things like syslog, but will > limit the info reported to a DIF on changes to certain logs or settings which > are stored in SQL style relational DB. You can set custom monitoring in a > syntax similar to SQL. I've been a "certified product engineer" for major > vendors, and even contributed to some of their work on things like security > orchestration, but you can't "buy" security, regardless of the product, comes > down to putting in the work. > > You can also install an instance of Security Onion, and run it as either a > distributed instance for enterprise use, or in the standalone mode for the > student, hobbyist, SoHo network. It can be set to pull your native logs from > Linux, and do a lot of ingest and normalization for you, giving you a pretty > nice dashboard and SOC environment based in Kibana (it runs on ELK stack). It > can also work, out of the box, with OSQuery on your Linux endpoints. > > Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all put > out various public hardening guides and even open-sourced auditing and > hardening scripts for Linux / Unix systems to help automate configurations. > > -R3doubt > > On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <mic...@gm...> wrote: > > Commercial EDR solutions like SentinelOne and Crowdstrike are better for > > business users who need protection against advanced threat actors, I know > > both use AWS IP addresses to report to an AI backend. The AI engine is > > really just using statistical analysis. Chkrootkit is another free offering > > but I think rkhunter is better as far as free tools. > > > > Michael Lazin > > > > .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. > > > > > > On Tue, Mar 12, 2024 at 6:25 PM <cal...@fa...> wrote: > > > What are people using instead? > > > _______________________________________________ > > > Rkhunter-users mailing list > > > Rkh...@li... > > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > _______________________________________________ > > Rkhunter-users mailing list > > Rkh...@li... > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |