On Mon, 2003-09-22 at 21:30, Steve Phillips wrote: > At 08:57 p.m. 22/09/2003 -0400, Jason Dixon wrote: > >On Mon, 2003-09-22 at 20:42, Benjamin J. Weiss wrote: > >[snippy snip] > > > Um...Jason...the CERT training that I went to stated (though I have not > > > verified it externally) that it is still possible to fool chkrootkit if > > > you are running it in a "compromised environment". We were taught that > > > the best way to go is to run it from a "clean" medium, such as knoppix, to > > > ensure that any of the binaries or LKM's aren't spoofing you. > > > > > > I know, you specifically stated that you should use good binaries...but > > > this is easier and (AFAIK) foolproof... > > > >I'm happy that your CERT training prepared you for small/home-office > >operations. However, many of us work and exist in environments where > >carrying around a CD doesn't scale. My suggestion can be quickly and > >easily performed on remote systems. > > Please then - do not use FUD to market your product.
What are you talking about? What product was I attempting to market? I'm afraid you must not have read very carefully. At no point did I offer to sell *anything*. I was simply offering up some free, sage advice. > > > > > This way you will *ABSOLUTELY KNOW* that you are running a safe > > version of > > > > > chrootkit that will tell you whether or not you've been compromised. > > This is misleading, and if the aim is to get people to be more security > minded then being misleading is a bad place to start. I assume you're responding to Benjamin, those were not my words. > Yes, this is not practical in every instance, and as with personal > firewalls, anti-virus scanners and using "different operating systems that > are not mainstream" every little bit helps - but PLEASE don't start > spreading the same kind of drivel that many marketing plebs out there in > the world today do. It makes you and your product look bad to the people > that would get the most benefit from your product. (even if you are giving > it away) What are you talking about? Spreading drivel? I've only suggested that folks try running chkrootkit on their servers to try and gain a small measure of comfort in the state of their systems. Where did I appear to be marketing something for sale??? > In a corporate (SME to Large enterprise) scenario I would assume that they > already have systems in place to cope with intrusion detection and > eradication - including "known good" system configurations for just this > purpose. Duh. Where did I suggest that chkrootkit was the end-all solution to intrusion detection? I only offered it up as a quick "check" for system compromise. > >Jason Dixon, RHCE > > *sigh* I guess RHCE doesn't delve into the security aspects then eh ? I'm having a hard time understanding where your rant is coming from. I've done nothing but offer a suggestion to users that they try running chkrootkit on their systems. You're obviously reading a LOT into the email that simply wasn't there. What is your PROBLEM??? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
