Answer the question
In order to leave comments, you need to log in
How to detect kernel rootkit using zabbix?
Hello!
We use zabbix to monitor servers. The standard template for linux hosts has a checksum change checksum for system utilities - ps, top, ls, etc. This once worked in combat conditions (they stole the password from a developer with sudo rights and installed some kind of rootkit), after which he began to treat these alerts with respect. Some time ago I came across an article about kernelspace rootkits and the following thoughts appeared:
Answer the question
In order to leave comments, you need to log in
There are two console utilities for Linux servers
chkrootkit, rkhunter
There is also clamav which can be useful. Also console.
There is a utility that analyzes the logs itself - logwatch
But this is all extra. programs.
You can look at the logs with handles, for example this /var/log/auth.log
Or check for new packages in the system, files daily by cron, and think about whether these files should be there.
Your own bash script would be good for this.
I wrote my monitoring script for ubuntu, it might come in handy:
linuxstar.ru/poluchenie-informacii-o-sisteme-ezhed...
https://github.com/ADMINICANA/ubuntu-server-daily-...
A rootkit is a rootkit that hides itself in the system. Accordingly, after launching, it will be able to slip a valid file with the required checksum in its place and hide itself in the list of modules. Therefore, a well-written rootkit cannot be caught in this way, and there can be no talk of any guarantees. Falls can be when updating the software.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question