On 14/11/2019 16:57, Valeri Galtsev wrote: > > > On 2019-11-14 10:01, Christopher Wensink wrote: >> I have not, I'll look into that one, thanks! >> >> On 11/14/2019 9:48 AM, SternData wrote: >>> Do you run rkhunter? >>> >>> On 11/14/19 9:40 AM, Christopher Wensink wrote: >>>> How do you know when a Linux system has been compromised? > > I'm sure you have followed the procedure how to install system and > services so everything is secure. > > If, in a longer run no matter that you have system set up and configured > securely and keep updating, if still the system gets compromised, then > you need: > > 1. compromise warming > 2. forensic investigation > 3. recovery from compromise. > > I figure your is about 1. You probably will not get detailed description > of actual setup people on this list have. Information about what the > defense is is the first step in every attack. The best you may get are > the advises of what to look for. > > One of the things you can set up is [host based, maybe] system integrity > checking system (or intrusion detection system). That only makes sense > on freshly installed system in known good state. There were a variety of > these: tripwire (which went commercial), eics, ... If you search for > linux intrusion detection system you should find what you need. > > I hope, this helps. > > Valeri > I would add Trusted Path Execution (TPE) to any sysdamin's toolbox who cares about security. It's easy to install from elrepo.org (kmod-tpe). I wrote an overview (below) so won't repeat myself here, but I would strongly encourage people to try it out: http://lists.elrepo.org/pipermail/elrepo/2017-June/003620.html