Thread: [Rkhunter-users] Still under support?
Brought to you by:
dogsbody
Menu
▾
▴
rkhunter-users
|
From: <rkh...@si...> - 2024-03-12 08:39:03
|
Hello, I have been using for a while RKhunter but I realized that there is not any update since February 2018, which means 6 years ago. Is this project still alive and under development or has it become outdated? My concern is that 6 years in IT, specially in the security area, looks too risky for me without updates. Regards, David |
|
From: Michael L. <mic...@gm...> - 2024-03-12 20:47:07
|
I would not rely on rkhunter to find the most sophisticated threat actors, I have pointed out a few times that it does not check the kernel hash or kernel modules at all but in defense of the project I like to run it on newly installed systems to get a baseline, if there is a change down the road it is easier to spot if you have a baseline from running it at first install. Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Tue, Mar 12, 2024 at 4:46 AM rkhunter.yih68--- via Rkhunter-users < rkh...@li...> wrote: > Hello, > > I have been using for a while RKhunter but I realized that there is not > any update since February 2018, which means 6 years ago. > > Is this project still alive and under development or has it become > outdated? My concern is that 6 years in IT, specially in the security area, > looks too risky for me without updates. > > > Regards, > David > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |
|
From: <cal...@fa...> - 2024-03-12 22:16:32
|
What are people using instead? |
|
From: Michael L. <mic...@gm...> - 2024-03-12 23:15:35
|
Commercial EDR solutions like SentinelOne and Crowdstrike are better for business users who need protection against advanced threat actors, I know both use AWS IP addresses to report to an AI backend. The AI engine is really just using statistical analysis. Chkrootkit is another free offering but I think rkhunter is better as far as free tools. Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Tue, Mar 12, 2024 at 6:25 PM <cal...@fa...> wrote: > What are people using instead? > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |
|
From: r3doubt <r3...@r3...> - 2024-03-13 00:17:41
|
I have found rkhunter useful, especially for quick triage or auditing and hardening to create a baseline configuration. I wouldn't rely on static signatures for any sort of malware analysis or DFIR, regardless of OS or product. For a continuous monitoring EDR use case, I would recommend two free and open-source solutions, as an alternative to commercial offerings. I have found OSQuery to be a pretty useful tool on MacOS and Linux, giving me some of the same EDR via native logs I get using Sysmon and Windows Event Logs on Windows boxes. For dealing with "live off the land" style intrusions, this type of data is crucial for EDR. OSQuery will look at things like syslog, but will limit the info reported to a DIF on changes to certain logs or settings which are stored in SQL style relational DB. You can set custom monitoring in a syntax similar to SQL. I've been a "certified product engineer" for major vendors, and even contributed to some of their work on things like security orchestration, but you can't "buy" security, regardless of the product, comes down to putting in the work. You can also install an instance of Security Onion, and run it as either a distributed instance for enterprise use, or in the standalone mode for the student, hobbyist, SoHo network. It can be set to pull your native logs from Linux, and do a lot of ingest and normalization for you, giving you a pretty nice dashboard and SOC environment based in Kibana (it runs on ELK stack). It can also work, out of the box, with OSQuery on your Linux endpoints. Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all put out various public hardening guides and even open-sourced auditing and hardening scripts for Linux / Unix systems to help automate configurations. -R3doubt On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <mic...@gm...> wrote: > Commercial EDR solutions like SentinelOne and Crowdstrike are better for > business users who need protection against advanced threat actors, I know > both use AWS IP addresses to report to an AI backend. The AI engine is > really just using statistical analysis. Chkrootkit is another free > offering but I think rkhunter is better as far as free tools. > > Michael Lazin > > .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. > > > On Tue, Mar 12, 2024 at 6:25 PM <cal...@fa...> wrote: > >> What are people using instead? >> _______________________________________________ >> Rkhunter-users mailing list >> Rkh...@li... >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |
|
From: Michael L. <mic...@gm...> - 2024-03-13 01:21:06
|
https://www.cisecurity.org/cis-benchmarks This is useful too and much easier to implement than just going by NIST. Thanks for the tip on OSQuery, I ran it on a Linux system and a Mac and it appears powerful and useful. Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Tue, Mar 12, 2024 at 7:45 PM r3doubt <r3...@r3...> wrote: > I have found rkhunter useful, especially for quick triage or auditing and > hardening to create a baseline configuration. I wouldn't rely on static > signatures for any sort of malware analysis or DFIR, regardless of OS or > product. > > For a continuous monitoring EDR use case, I would recommend two free and > open-source solutions, as an alternative to commercial offerings. I have > found OSQuery to be a pretty useful tool on MacOS and Linux, giving me some > of the same EDR via native logs I get using Sysmon and Windows Event Logs > on Windows boxes. For dealing with "live off the land" style intrusions, > this type of data is crucial for EDR. OSQuery will look at things like > syslog, but will limit the info reported to a DIF on changes to certain > logs or settings which are stored in SQL style relational DB. You can set > custom monitoring in a syntax similar to SQL. I've been a "certified > product engineer" for major vendors, and even contributed to some of their > work on things like security orchestration, but you can't "buy" security, > regardless of the product, comes down to putting in the work. > > You can also install an instance of Security Onion, and run it as either a > distributed instance for enterprise use, or in the standalone mode for the > student, hobbyist, SoHo network. It can be set to pull your native logs > from Linux, and do a lot of ingest and normalization for you, giving you a > pretty nice dashboard and SOC environment based in Kibana (it runs on ELK > stack). It can also work, out of the box, with OSQuery on your Linux > endpoints. > > Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all > put out various public hardening guides and even open-sourced auditing and > hardening scripts for Linux / Unix systems to help automate configurations. > > -R3doubt > > On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <mic...@gm...> > wrote: > >> Commercial EDR solutions like SentinelOne and Crowdstrike are better for >> business users who need protection against advanced threat actors, I know >> both use AWS IP addresses to report to an AI backend. The AI engine is >> really just using statistical analysis. Chkrootkit is another free >> offering but I think rkhunter is better as far as free tools. >> >> Michael Lazin >> >> .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. >> >> >> On Tue, Mar 12, 2024 at 6:25 PM <cal...@fa...> wrote: >> >>> What are people using instead? >>> _______________________________________________ >>> Rkhunter-users mailing list >>> Rkh...@li... >>> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >>> >> _______________________________________________ >> Rkhunter-users mailing list >> Rkh...@li... >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> > |
|
From: <jwa...@gm...> - 2024-03-16 05:15:29
|
I've used rkhunter for quite some time & have found it useful, but do use a number of other things as well. Much home grown. As to support, I've reported a bug via the Fedora bugzilla & it was fixed. 2020/06/27 - sshd_config - https://bugzilla.redhat.com/show_bug.cgi?id=1851620 and one that had already been fixed (use of egrep) but these were triggered by changes in the way sshd config files were arranged & egrep was being discouraged in favour or grep -E (same for fgrep/grep -F ...) & stray escapes. If you look at, https://sourceforge.net/p/rkhunter/bugs/ there are the open bugs. Pick one & fix it Likely the maintainer needs help, which means some young blood. But as I recall from many years ago before I retired, young blood actually caused me too many problems explaining why certain code was the way it was from 30 years before & that if they wanted to rewrite something from scratch that worked be my guest... they soon lost interest sadly. Look at the user profiles of the maintainers, particularly, jhorne the primary maintainer) & the comments there, as well as comments on many of the open bugs. Also jhorne's activity to see what was done & the needs... John Horne: It appears both dogsbody & unspawn are no longer involved/responding is that right? I thought I'd look at doing something from the rkhunter bug list & picked the oldest bug, permissions on rkhunter tmp files (I realise I need a longer life expectancy, less grandchildren & slightly less travel addicted travel partner) but as a suggestion would a start on that not be a much more restrictive umask? (& see if Christoph Anton Mitterer <cal...@sc...> is happy with that - as he submitted it in 2010! ;-) Cheers John On Tue, 2024-03-12 at 19:50 -0400, r3doubt wrote: > I have found rkhunter useful, especially for quick triage or auditing and > hardening to create a baseline configuration. I wouldn't rely on static > signatures for any sort of malware analysis or DFIR, regardless of OS or > product. > > For a continuous monitoring EDR use case, I would recommend two free and open- > source solutions, as an alternative to commercial offerings. I have found > OSQuery to be a pretty useful tool on MacOS and Linux, giving me some of the > same EDR via native logs I get using Sysmon and Windows Event Logs on Windows > boxes. For dealing with "live off the land" style intrusions, this type of > data is crucial for EDR. OSQuery will look at things like syslog, but will > limit the info reported to a DIF on changes to certain logs or settings which > are stored in SQL style relational DB. You can set custom monitoring in a > syntax similar to SQL. I've been a "certified product engineer" for major > vendors, and even contributed to some of their work on things like security > orchestration, but you can't "buy" security, regardless of the product, comes > down to putting in the work. > > You can also install an instance of Security Onion, and run it as either a > distributed instance for enterprise use, or in the standalone mode for the > student, hobbyist, SoHo network. It can be set to pull your native logs from > Linux, and do a lot of ingest and normalization for you, giving you a pretty > nice dashboard and SOC environment based in Kibana (it runs on ELK stack). It > can also work, out of the box, with OSQuery on your Linux endpoints. > > Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all put > out various public hardening guides and even open-sourced auditing and > hardening scripts for Linux / Unix systems to help automate configurations. > > -R3doubt > > On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <mic...@gm...> wrote: > > Commercial EDR solutions like SentinelOne and Crowdstrike are better for > > business users who need protection against advanced threat actors, I know > > both use AWS IP addresses to report to an AI backend. The AI engine is > > really just using statistical analysis. Chkrootkit is another free offering > > but I think rkhunter is better as far as free tools. > > > > Michael Lazin > > > > .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. > > > > > > On Tue, Mar 12, 2024 at 6:25 PM <cal...@fa...> wrote: > > > What are people using instead? > > > _______________________________________________ > > > Rkhunter-users mailing list > > > Rkh...@li... > > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > _______________________________________________ > > Rkhunter-users mailing list > > Rkh...@li... > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
|
From: Dan B. <da...@do...> - 2024-03-17 12:43:11
|
Hi All, I'm Dan (Dogsbody) and I (we) took ownership of the rkhunter project last month :-) Sorry for the radio silence, there is a lot to unpack and as you have all already stated, development has stalled for a number of years. We have plans to update rkhunter (slowly at first) although it still stands up really well. As John states, there are already a pile of backlogged bugs so please feel free to continue to submit improvements. I do want to separate development conversations from user conversations so please do sign up to the rkhunter-devel mailing list https://sourceforge.net/projects/rkhunter/lists/rkhunter-devel More when I have it. Dan Benton On 16/03/2024 05:15, jwa...@gm... wrote: > I've used rkhunter for quite some time & have found it useful, > but do use a number of other things as well. Much home grown. > > As to support, I've reported a bug via the Fedora bugzilla & > it was fixed. > > 2020/06/27 - sshd_config - > https://bugzilla.redhat.com/show_bug.cgi?id=1851620 > > and one that had already been fixed (use of egrep) but these were triggered by > changes in the way sshd config files were arranged & egrep was being > discouraged in favour or grep -E (same for fgrep/grep -F ...) & stray escapes. > > If you look at, > > https://sourceforge.net/p/rkhunter/bugs/ > > there are the open bugs. Pick one & fix it > > Likely the maintainer needs help, which means some young blood. > But as I recall from many years ago before I retired, young blood > actually caused me too many problems explaining why certain code was the way > it was from 30 years before & that if they wanted to rewrite something from > scratch that worked be my guest... they soon lost interest sadly. > > Look at the user profiles of the maintainers, particularly, jhorne the > primary maintainer) & the comments there, as well as comments on many of the > open bugs. > Also jhorne's activity to see what was done & the needs... > > John Horne: It appears both dogsbody & unspawn are no longer involved/responding > is that right? > > I thought I'd look at doing something from the rkhunter bug list & picked the > oldest bug, permissions on rkhunter tmp files (I realise I need a longer life > expectancy, less grandchildren & slightly less travel addicted travel partner) > but as a suggestion would a start on that not be a much more restrictive > umask? (& see if Christoph Anton Mitterer <cal...@sc...> is happy > with that - as he submitted it in 2010! ;-) > > Cheers > > John > > On Tue, 2024-03-12 at 19:50 -0400, r3doubt wrote: >> I have found rkhunter useful, especially for quick triage or auditing and >> hardening to create a baseline configuration. I wouldn't rely on static >> signatures for any sort of malware analysis or DFIR, regardless of OS or >> product. >> >> For a continuous monitoring EDR use case, I would recommend two free and open- >> source solutions, as an alternative to commercial offerings. I have found >> OSQuery to be a pretty useful tool on MacOS and Linux, giving me some of the >> same EDR via native logs I get using Sysmon and Windows Event Logs on Windows >> boxes. For dealing with "live off the land" style intrusions, this type of >> data is crucial for EDR. OSQuery will look at things like syslog, but will >> limit the info reported to a DIF on changes to certain logs or settings which >> are stored in SQL style relational DB. You can set custom monitoring in a >> syntax similar to SQL. I've been a "certified product engineer" for major >> vendors, and even contributed to some of their work on things like security >> orchestration, but you can't "buy" security, regardless of the product, comes >> down to putting in the work. >> >> You can also install an instance of Security Onion, and run it as either a >> distributed instance for enterprise use, or in the standalone mode for the >> student, hobbyist, SoHo network. It can be set to pull your native logs from >> Linux, and do a lot of ingest and normalization for you, giving you a pretty >> nice dashboard and SOC environment based in Kibana (it runs on ELK stack). It >> can also work, out of the box, with OSQuery on your Linux endpoints. >> >> Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all put >> out various public hardening guides and even open-sourced auditing and >> hardening scripts for Linux / Unix systems to help automate configurations. >> >> -R3doubt >> >> On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <mic...@gm...> wrote: >>> Commercial EDR solutions like SentinelOne and Crowdstrike are better for >>> business users who need protection against advanced threat actors, I know >>> both use AWS IP addresses to report to an AI backend. The AI engine is >>> really just using statistical analysis. Chkrootkit is another free offering >>> but I think rkhunter is better as far as free tools. >>> >>> Michael Lazin >>> >>> .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. >>> >>> >>> On Tue, Mar 12, 2024 at 6:25 PM <cal...@fa...> wrote: >>>> What are people using instead? >>>> _______________________________________________ >>>> Rkhunter-users mailing list >>>> Rkh...@li... >>>> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >>> _______________________________________________ >>> Rkhunter-users mailing list >>> Rkh...@li... >>> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> _______________________________________________ >> Rkhunter-users mailing list >> Rkh...@li... >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
Thanks for helping keep SourceForge clean.
X