Auditing

From Segfault
Jump to: navigation, search

chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit.

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.{md5,tar.gz,tar.gz.sig}
md5sum -c chkrootkit.md5 
gpg --recv-keys 20C5EC39
gpg --verify chkrootkit.tar.gz.sig  
tar -xzf chkrootkit.tar.gz && cd chkrootkit*
make
sudo ./chkrootkit -q

Note: its last release is 0.49 (2009-07-30), so maybe the project is dead already :-\ - chkrootkit-0.50 has been released on 2014-06-04

  • Debian #580491 - chkrootkit: 1)with nfs mounted the silent don't work 2)can't exclude legacy sniffer (dhcpd, snort, ntop etc)

rkhunter

From the manpage:

rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.

Its last version is 1.4.0 from 2012-05-01. Let's use the CVS version instead:

cvs -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter login
cvs -z3 -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter co -d rkhunter-cvs -P rkhunter

cd rkhunter-cvs
sudo mkdir /opt/rkhunter
sudo ./installer.sh --layout custom /opt/rkhunter --install

Now let's scan for those rootkits:

sudo /opt/rkhunter/bin/rkhunter --update
sudo /opt/rkhunter/bin/rkhunter --propupd                             # Run only once!
sudo /opt/rkhunter/bin/rkhunter --check --nocolors --skip-keypress --logfile /var/log/rkhunter.log \
                                --report-warnings-only --pkgmgr DPKG

When finished, we can analyze the logfile and cut down some of the noise:

sudo egrep -v 'Not found|Info: Found the|\[ OK \]' /var/log/rkhunter.log | less

lynis

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

git clone https://github.com/CISOfy/lynis lynis-git
cd lynis-git
man -l lynis.8
sudo ./lynis update info
sudo ./lynis audit system --no-colors --quiet

When finished, we can analyze the logfile and cut down some of the noise:

egrep -v '(Result|Binary|Test):|Found|Performing|Skipped|Loaded' /var/log/lynis.log | less

Tripwire

Open Source Tripwire software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. The project is based on code originally contributed by Tripwire, Inc. in 2000.

AIDE

AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.

-- TBD

integrit

integrit is a simple yet secure alternative to products like tripwire. It has a small memory footprint, uses up-to-date cryptographic algorithms, and has features that make sense (like including the MD5 checksum of newly generated databases in the report. (R.I.P. 2007-06-02)

Nessus

From nessus.org:

The Nessus® vulnerability scanner is the world-leader in active scanners, featuring 
high-speed discovery, configuration auditing, asset profiling, sensitive data 
discovery and vulnerability analysis of your security posture.

Install Nessus, I've chosen the Linux/generic variant:

tar -xzf Nessus-4.2.2-linux-generic64.tar.gz
./install.sh
/opt/nessus/sbin/nessus-adduser

Register your version online, then use nessus-fetch to register your Nessus installation:

$ /opt/nessus/bin/nessus-fetch --register ABCD-1234-5678-9000-0000
Your Activation Code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
[...]

$ /opt/nessus/sbin/nessusd &

Now Nessus can be accessed on TCP:8834 via a web browser.

Note: after its initial start, Nessus will update its plugin database, using quite some disk space:

 617 MB /opt/nessus/lib/nessus/plugins/
1200 MB /opt/nessus/var/nessus/plugins-code.db

There is a commandline interface too. Unfortunately, when using the so called HomeFeed, the nessus command is not working. The nessuscmd command is no better :(

Samhain

Samhain

-- TBD

Links