LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Clean boot scans, chkrootkit, and RAID Hotswap For FIDS

Clean boot scans, chkrootkit, and RAID Hotswap For FIDS

Posted Mar 19, 2004 1:59 UTC (Fri) by AnswerGuy (guest, #1256)
In reply to: A new Adore root kit by copsewood
Parent article: A new Adore root kit

Of course running chkrootkit and/or AIDE or other checksum scanners from
a clean boot will help find compromised files and *known* rootkits.

However, that impinges on uptime for 24x7 servers. There should be
scheduled downtime and such clean boot scanning should be routine during
those downtime windows.

It's possible, with hotswap capable mirror (RAID1) to yank a drive,
insert it into a scan system, force it to come up in degraded mode
as a mountable (non-system) drive and then scan that.

(Put in a spare on the production system and let it re-integrate to
preserve the array and performance).

If it's true hotswap hardware you can do this. If it's soft raid and
you try commands like raidsetfaulty, etc. then you risk the attacker
hooking into that and covering his traces.

I'm surprised I've never seen an article published on this technique,
I've been describing it for years and tested it a couple times. (I'm
not maintaining any production systems in this configuration).

JimD

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds