I am testing the rootkit detection in OSSEC and it would appear to not work. OSSEC should detect hidden process. That is, something that does not show in "ps" but can be found with syscalls and looking for /proc/<pid>. I have rootkitted a system and have the rootkit check running every 1800 seconds. The logs indicate it runs yet it never detects my hidden processes. See below.
https://github.com/mfontanini/Programs-Scripts/tree/master/rootkit You simply have to rename the strnstr function to not conflict (sed globally). Other minor tests I have run by creating files that should match the rootkit_files.txt also result in no hits. root@foo:~# ps auxwww | grep nc root 14 0.0 0.0 0 0 ? S 2016 0:00 [async/mgr] root 16 0.0 0.0 0 0 ? S 2016 0:19 [sync_supers] root 23036 0.0 0.0 103316 888 pts/3 S+ 07:29 0:00 grep nc root 65389 0.0 0.0 11996 676 pts/2 S+ Feb02 0:00 nc -l 5678 root@foo:~# echo "hpid 65389" > /proc/buddyinfo -bash: echo: write error: Operation not permitted root@foo:~# ps auxwww | grep nc root 14 0.0 0.0 0 0 ? S 2016 0:00 [async/mgr] root 16 0.0 0.0 0 0 ? S 2016 0:19 [sync_supers] root 23054 0.0 0.0 103316 884 pts/3 S+ 07:29 0:00 grep nc root@foo:~# echo "spid 65389" > /proc/buddyinfo -bash: echo: write error: Operation not permitted root@foo:~# ps auxwww | grep nc root 14 0.0 0.0 0 0 ? S 2016 0:00 [async/mgr] root 16 0.0 0.0 0 0 ? S 2016 0:19 [sync_supers] root 23064 0.0 0.0 103316 880 pts/3 S+ 07:29 0:00 grep nc root 65389 0.0 0.0 11996 676 pts/2 S+ Feb02 0:00 nc -l 5678 root@foo:~# echo "hpid 65389" > /proc/buddyinfo -bash: echo: write error: Operation not permitted root@foo:~# ls /proc/65389 attr/ autogroup auxv cgroup clear_refs cmdline comm coredump_filter cpuset cwd@ environ exe@ fd/ fdinfo/ io limits loginuid maps mem mountinfo mounts mountstats net/ ns/ numa_maps oom_adj oom_score oom_score_adj pagemap personality root@ sched schedstat sessionid smaps stack stat statm status syscall task/ wchan Am I missing something? Can anyone else confirm if this is the case or not? Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
