Jdow, Why are you looking at that for root kit prevention? It's a very old fashion approach, I would use the RPM's verify command or one of the many filesystem check sum tools available for that instead. Either one can tell you if any critical binaries or libraries have been compromised very easily and there are even tools built around them to do it on a network wide level. Further more if you really want to make your systems resistant to root kits, readonly mount of / and /usr is still your best bet, even Red Hat products like RHEV use that method on appliances.
Original Message From: jdow Sent: Wednesday, September 7, 2016 19:09 To: [email protected] Subject: Re: Re: Regarding latest Linux level 3 rootkits Thanks Vladimir, I suppose I could pull the necessary files from busybox as a means of keeping a more generic Linux system in security trim. This might be a useful tool set to suggest upstream. A statically linked less would allow a quick check for the hidden user. A statically linked chkrootkit would find the bad file size for the affected glib libraries. {^_^} Joanne On 2016-09-07 03:36, Vladimir Mosgalin wrote: > Hi jdow! > > On 2016.09.06 at 23:15:04 -0700, jdow wrote next: > >> Is there any source for a VI, VIM, or even EMACS that has all libraries >> compiled into it statically? That would make monitoring for the rootkit much >> easier. The same could be said for utilities such as chkrootkit. With >> compiled in static libraries these level three (user space) rootkits can't >> edit the results you get, as easily. (Any file system components in user >> space would also have to be statically linked.) > > Busybox would work. It's usually build statically (either that, or it's > easy to make that kind of build) and includes vi clone. Very poor man's > vi, just like other busybox utilities, but nevertheless. Current version > supports some neat stuff like autoindent and undo. >
