Hi unSpawn, Im working on own distribution based on Hardened Gentoo which will use rkhunter for regular security scans, where results are handled via own monitoring and reporting system. I know that rkhunter is mainly post-incident analysis tool, but if someone will hack into system and modify tools used by rkhunter to find out attack patterns then attacker can possibly change those tools so RKH will not find this pattern.
In that case I would like to have something which I call trusted-bin, ideally read-only NFS mounted partition with all tools/commands needed by RKH for scan. For that I need list of all commands executed by RKH. Hope it make sense :] Thank you — Martin Čmelík http://www.security-portal.cz http://www.security-session.cz http://www.securix.org Save a tree - kill a beaver 2013/1/19 <unsp...@hushmail.com>: > On Sat, 19 Jan 2013 00:45:13 +0100 "Martin Čmelík" > <martin.cme...@gmail.com> wrote: >>I was unable to find answer on my question in FAQ or via Google, >>so I think that mail list will be best option. > > It is indeed. Good choice. > > >>I would like to set on my distribution separate partition for all >>tools which rkhunter needs for scan (--bindir). Is there list of >>external commands which rkhunter execute during scan? > That's the list it puts in its database when you run "--propupd". > > More importantly it would be good to know -=why=- you would want to > do that? Outdated web pages or web log posts often spread the > misconception that RKH equals security. It does not (and besides > you shouldn't rely on one tool only). RKH is a -=post-incident=- > analysis tool with a specific scope. Security-wise the emphasis > should be on -=proper host and service hardening=- first. That's > the foundation, a "must have", and it must be done before anything > else. I would classify what you intend to do as a "nice to have". > > >>Or is there chance that busybox contain all of them? > BB can include ps, find, netstat, lsof but they are very limited in > what switches they provide. So even if the binary you compiled has > all required tools included usage would cause b0rkage. Doesn't mean > you shouldn't try though. > > > Cheers, > unSpawn > --- > ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412 _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
