Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
Konstantin Antipov2015-03-04 17:49:28
linux
Konstantin Antipov, 2015-03-04 17:49:28

How to detect kernel rootkit using zabbix?

Hello!
We use zabbix to monitor servers. The standard template for linux hosts has a checksum change checksum for system utilities - ps, top, ls, etc. This once worked in combat conditions (they stole the password from a developer with sudo rights and installed some kind of rootkit), after which he began to treat these alerts with respect. Some time ago I came across an article about kernelspace rootkits and the following thoughts appeared:

  • Checksums /bin/cat and /usr/bin/md5sum
  • cat /proc/modules | md5sum
  • cat /proc/kallsyms | md5sum

1. Will these checks be able to detect the installation of at least some rootkits?
2. Can such checks guarantee the absence of rootkits in the kernel (if installed on a clean system)?
3. Probability of false positive alerts?
4. Perhaps some other simple checks (without installing additional programs)?
Thank you!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
S
Sergey, 2015-03-04
@butteff

There are two console utilities for Linux servers
chkrootkit, rkhunter
There is also clamav which can be useful. Also console.
There is a utility that analyzes the logs itself - logwatch
But this is all extra. programs.
You can look at the logs with handles, for example this /var/log/auth.log
Or check for new packages in the system, files daily by cron, and think about whether these files should be there.
Your own bash script would be good for this.
I wrote my monitoring script for ubuntu, it might come in handy:
linuxstar.ru/poluchenie-informacii-o-sisteme-ezhed...
https://github.com/ADMINICANA/ubuntu-server-daily-...

Report
V
Vladimir Martyanov, 2015-03-04
@vilgeforce

A rootkit is a rootkit that hides itself in the system. Accordingly, after launching, it will be able to slip a valid file with the required checksum in its place and hide itself in the list of modules. Therefore, a well-written rootkit cannot be caught in this way, and there can be no talk of any guarantees. Falls can be when updating the software.

Similar questions
D
DarkByte20152018-09-03 12:17:01
Normal package manager for arch? 4Reply
D
Dert1x2021-11-16 12:37:46
How to fix unexpected EOF while looking for matching `"'? 1Reply
N
NoName_02016-04-08 14:26:53
Unable to access Windows volume? 2Reply
M
mal4iwka2014-01-25 16:02:01
Is it possible to bind a device on Linux to the MAC address of a specific access point? 1Reply
S
simple_math2014-01-25 18:27:06
Oracle Linux. Another question about port forwarding from a noob 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question