Hi All,
I'm Dan (Dogsbody) and I (we) took ownership of the rkhunter project
last month :-)
Sorry for the radio silence, there is a lot to unpack and as you have
all already stated, development has stalled for a number of years.
We have plans to update rkhunter (slowly at first) although it still
stands up really well.
As John states, there are already a pile of backlogged bugs so please
feel free to continue to submit improvements.
I do want to separate development conversations from user conversations
so please do sign up to the rkhunter-devel mailing list
https://sourceforge.net/projects/rkhunter/lists/rkhunter-devel
More when I have it.
Dan Benton
On 16/03/2024 05:15, jwadod...@gmail.com wrote:
I've used rkhunter for quite some time & have found it useful,
but do use a number of other things as well. Much home grown.
As to support, I've reported a bug via the Fedora bugzilla &
it was fixed.
2020/06/27 - sshd_config -
https://bugzilla.redhat.com/show_bug.cgi?id=1851620
and one that had already been fixed (use of egrep) but these were triggered by
changes in the way sshd config files were arranged & egrep was being
discouraged in favour or grep -E (same for fgrep/grep -F ...) & stray escapes.
If you look at,
https://sourceforge.net/p/rkhunter/bugs/
there are the open bugs. Pick one & fix it
Likely the maintainer needs help, which means some young blood.
But as I recall from many years ago before I retired, young blood
actually caused me too many problems explaining why certain code was the way
it was from 30 years before & that if they wanted to rewrite something from
scratch that worked be my guest... they soon lost interest sadly.
Look at the user profiles of the maintainers, particularly, jhorne the
primary maintainer) & the comments there, as well as comments on many of the
open bugs.
Also jhorne's activity to see what was done & the needs...
John Horne: It appears both dogsbody & unspawn are no longer involved/responding
is that right?
I thought I'd look at doing something from the rkhunter bug list & picked the
oldest bug, permissions on rkhunter tmp files (I realise I need a longer life
expectancy, less grandchildren & slightly less travel addicted travel partner)
but as a suggestion would a start on that not be a much more restrictive
umask? (& see if Christoph Anton Mitterer <cales...@scientia.net> is happy
with that - as he submitted it in 2010! ;-)
Cheers
John
On Tue, 2024-03-12 at 19:50 -0400, r3doubt wrote:
I have found rkhunter useful, especially for quick triage or auditing and
hardening to create a baseline configuration. I wouldn't rely on static
signatures for any sort of malware analysis or DFIR, regardless of OS or
product.
For a continuous monitoring EDR use case, I would recommend two free and open-
source solutions, as an alternative to commercial offerings. I have found
OSQuery to be a pretty useful tool on MacOS and Linux, giving me some of the
same EDR via native logs I get using Sysmon and Windows Event Logs on Windows
boxes. For dealing with "live off the land" style intrusions, this type of
data is crucial for EDR. OSQuery will look at things like syslog, but will
limit the info reported to a DIF on changes to certain logs or settings which
are stored in SQL style relational DB. You can set custom monitoring in a
syntax similar to SQL. I've been a "certified product engineer" for major
vendors, and even contributed to some of their work on things like security
orchestration, but you can't "buy" security, regardless of the product, comes
down to putting in the work.
You can also install an instance of Security Onion, and run it as either a
distributed instance for enterprise use, or in the standalone mode for the
student, hobbyist, SoHo network. It can be set to pull your native logs from
Linux, and do a lot of ingest and normalization for you, giving you a pretty
nice dashboard and SOC environment based in Kibana (it runs on ELK stack). It
can also work, out of the box, with OSQuery on your Linux endpoints.
Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all put
out various public hardening guides and even open-sourced auditing and
hardening scripts for Linux / Unix systems to help automate configurations.
-R3doubt
On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <microla...@gmail.com> wrote:
Commercial EDR solutions like SentinelOne and Crowdstrike are better for
business users who need protection against advanced threat actors, I know
both use AWS IP addresses to report to an AI backend. The AI engine is
really just using statistical analysis. Chkrootkit is another free offering
but I think rkhunter is better as far as free tools.
Michael Lazin
.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
On Tue, Mar 12, 2024 at 6:25 PM <calm.luck8...@fastmail.com> wrote:
What are people using instead?
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
