Re: [Rkhunter-users] Future of rkhunter (Was: Still under support?)
Brought to you by:
dogsbody
Menu
▾
▴
Re: [Rkhunter-users] Future of rkhunter (Was: Still under support?)
|
From: Dan B. <da...@do...> - 2024-03-17 12:43:11
|
Hi All, I'm Dan (Dogsbody) and I (we) took ownership of the rkhunter project last month :-) Sorry for the radio silence, there is a lot to unpack and as you have all already stated, development has stalled for a number of years. We have plans to update rkhunter (slowly at first) although it still stands up really well. As John states, there are already a pile of backlogged bugs so please feel free to continue to submit improvements. I do want to separate development conversations from user conversations so please do sign up to the rkhunter-devel mailing list https://sourceforge.net/projects/rkhunter/lists/rkhunter-devel More when I have it. Dan Benton On 16/03/2024 05:15, jwa...@gm... wrote: > I've used rkhunter for quite some time & have found it useful, > but do use a number of other things as well. Much home grown. > > As to support, I've reported a bug via the Fedora bugzilla & > it was fixed. > > 2020/06/27 - sshd_config - > https://bugzilla.redhat.com/show_bug.cgi?id=1851620 > > and one that had already been fixed (use of egrep) but these were triggered by > changes in the way sshd config files were arranged & egrep was being > discouraged in favour or grep -E (same for fgrep/grep -F ...) & stray escapes. > > If you look at, > > https://sourceforge.net/p/rkhunter/bugs/ > > there are the open bugs. Pick one & fix it > > Likely the maintainer needs help, which means some young blood. > But as I recall from many years ago before I retired, young blood > actually caused me too many problems explaining why certain code was the way > it was from 30 years before & that if they wanted to rewrite something from > scratch that worked be my guest... they soon lost interest sadly. > > Look at the user profiles of the maintainers, particularly, jhorne the > primary maintainer) & the comments there, as well as comments on many of the > open bugs. > Also jhorne's activity to see what was done & the needs... > > John Horne: It appears both dogsbody & unspawn are no longer involved/responding > is that right? > > I thought I'd look at doing something from the rkhunter bug list & picked the > oldest bug, permissions on rkhunter tmp files (I realise I need a longer life > expectancy, less grandchildren & slightly less travel addicted travel partner) > but as a suggestion would a start on that not be a much more restrictive > umask? (& see if Christoph Anton Mitterer <cal...@sc...> is happy > with that - as he submitted it in 2010! ;-) > > Cheers > > John > > On Tue, 2024-03-12 at 19:50 -0400, r3doubt wrote: >> I have found rkhunter useful, especially for quick triage or auditing and >> hardening to create a baseline configuration. I wouldn't rely on static >> signatures for any sort of malware analysis or DFIR, regardless of OS or >> product. >> >> For a continuous monitoring EDR use case, I would recommend two free and open- >> source solutions, as an alternative to commercial offerings. I have found >> OSQuery to be a pretty useful tool on MacOS and Linux, giving me some of the >> same EDR via native logs I get using Sysmon and Windows Event Logs on Windows >> boxes. For dealing with "live off the land" style intrusions, this type of >> data is crucial for EDR. OSQuery will look at things like syslog, but will >> limit the info reported to a DIF on changes to certain logs or settings which >> are stored in SQL style relational DB. You can set custom monitoring in a >> syntax similar to SQL. I've been a "certified product engineer" for major >> vendors, and even contributed to some of their work on things like security >> orchestration, but you can't "buy" security, regardless of the product, comes >> down to putting in the work. >> >> You can also install an instance of Security Onion, and run it as either a >> distributed instance for enterprise use, or in the standalone mode for the >> student, hobbyist, SoHo network. It can be set to pull your native logs from >> Linux, and do a lot of ingest and normalization for you, giving you a pretty >> nice dashboard and SOC environment based in Kibana (it runs on ELK stack). It >> can also work, out of the box, with OSQuery on your Linux endpoints. >> >> Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all put >> out various public hardening guides and even open-sourced auditing and >> hardening scripts for Linux / Unix systems to help automate configurations. >> >> -R3doubt >> >> On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <mic...@gm...> wrote: >>> Commercial EDR solutions like SentinelOne and Crowdstrike are better for >>> business users who need protection against advanced threat actors, I know >>> both use AWS IP addresses to report to an AI backend. The AI engine is >>> really just using statistical analysis. Chkrootkit is another free offering >>> but I think rkhunter is better as far as free tools. >>> >>> Michael Lazin >>> >>> .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. >>> >>> >>> On Tue, Mar 12, 2024 at 6:25 PM <cal...@fa...> wrote: >>>> What are people using instead? >>>> _______________________________________________ >>>> Rkhunter-users mailing list >>>> Rkh...@li... >>>> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >>> _______________________________________________ >>> Rkhunter-users mailing list >>> Rkh...@li... >>> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> _______________________________________________ >> Rkhunter-users mailing list >> Rkh...@li... >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |