Auditing
chkrootkit
chkrootkit is a tool to locally check for signs of a rootkit.
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.{md5,tar.gz,tar.gz.sig} md5sum -c chkrootkit.md5 gpg --recv-keys 20C5EC39 gpg --verify chkrootkit.tar.gz.sig tar -xzf chkrootkit.tar.gz && cd chkrootkit* make sudo ./chkrootkit -q
Note: its last release is 0.49 (2009-07-30), so maybe the project is dead already :-\ - chkrootkit-0.50 has been released on 2014-06-04
- Debian #580491 - chkrootkit: 1)with nfs mounted the silent don't work 2)can't exclude legacy sniffer (dhcpd, snort, ntop etc)
rkhunter
From the manpage:
rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.
Its last version is 1.4.0 from 2012-05-01. Let's use the CVS version instead:
cvs -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter login cvs -z3 -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter co -d rkhunter-cvs -P rkhunter cd rkhunter-cvs sudo mkdir /opt/rkhunter sudo ./installer.sh --layout custom /opt/rkhunter --install
Now let's scan for those rootkits:
sudo /opt/rkhunter/bin/rkhunter --update sudo /opt/rkhunter/bin/rkhunter --propupd # Run only once! sudo /opt/rkhunter/bin/rkhunter --check --nocolors --skip-keypress --logfile /var/log/rkhunter.log \ --report-warnings-only --pkgmgr DPKG
When finished, we can analyze the logfile and cut down some of the noise:
sudo grep -vE 'Not found|Info: Found the|\[ OK \]' /var/log/rkhunter.log | less
lynis
Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
git clone https://github.com/CISOfy/lynis lynis-git cd lynis-git man -l lynis.8 sudo ./lynis update info sudo ./lynis audit system --no-colors --quiet
When finished, we can analyze the logfile and cut down some of the noise:
grep -vE '(Result|Binary|Test):|Found|Performing|Skipped|Loaded' /var/log/lynis.log | less
Tripwire
Open Source Tripwire software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. The project is based on code originally contributed by Tripwire, Inc. in 2000.
- Sample Tripwire policy & configuration files for SLES 9
- Tripwire Tutorial: Linux Host Based Intrusion Detection System
AIDE
AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.
-- TBD
integrit
integrit is a simple yet secure alternative to products like tripwire. It has a small memory footprint, uses up-to-date cryptographic algorithms, and has features that make sense (like including the MD5 checksum of newly generated databases in the report. (R.I.P. 2007-06-02)
Nessus
From nessus.org:
The Nessus® vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture.
Install Nessus, I've chosen the Linux/generic variant:
tar -xzf Nessus-4.2.2-linux-generic64.tar.gz ./install.sh /opt/nessus/sbin/nessus-adduser
Register your version online, then use nessus-fetch to register your Nessus installation:
$ /opt/nessus/bin/nessus-fetch --register ABCD-1234-5678-9000-0000 Your Activation Code has been registered properly - thank you. Now fetching the newest plugin set from plugins.nessus.org... [...] $ /opt/nessus/sbin/nessusd &
Now Nessus can be accessed on TCP:8834 via a web browser.
Note: after its initial start, Nessus will update its plugin database, using quite some disk space:
617 MB /opt/nessus/lib/nessus/plugins/ 1200 MB /opt/nessus/var/nessus/plugins-code.db
There is a commandline interface too. Unfortunately, when using the so called HomeFeed, the nessus command is not working. The nessuscmd command is no better :(
Samhain
-- TBD
Links
- Password security: John the Ripper
- Wireless Security: Aircrack-ng
- Hardening