[CentOS] how to know when a system is compromised
Phil Perry
pperry at elrepo.org
Thu Nov 14 19:23:18 UTC 2019
On 14/11/2019 16:57, Valeri Galtsev wrote:
>
>
> On 2019-11-14 10:01, Christopher Wensink wrote:
>> I have not, I'll look into that one, thanks!
>>
>> On 11/14/2019 9:48 AM, SternData wrote:
>>> Do you run rkhunter?
>>>
>>> On 11/14/19 9:40 AM, Christopher Wensink wrote:
>>>> How do you know when a Linux system has been compromised?
>
> I'm sure you have followed the procedure how to install system and
> services so everything is secure.
>
> If, in a longer run no matter that you have system set up and configured
> securely and keep updating, if still the system gets compromised, then
> you need:
>
> 1. compromise warming
> 2. forensic investigation
> 3. recovery from compromise.
>
> I figure your is about 1. You probably will not get detailed description
> of actual setup people on this list have. Information about what the
> defense is is the first step in every attack. The best you may get are
> the advises of what to look for.
>
> One of the things you can set up is [host based, maybe] system integrity
> checking system (or intrusion detection system). That only makes sense
> on freshly installed system in known good state. There were a variety of
> these: tripwire (which went commercial), eics, ... If you search for
> linux intrusion detection system you should find what you need.
>
> I hope, this helps.
>
> Valeri
>
I would add Trusted Path Execution (TPE) to any sysdamin's toolbox who
cares about security. It's easy to install from elrepo.org (kmod-tpe). I
wrote an overview (below) so won't repeat myself here, but I would
strongly encourage people to try it out:
http://lists.elrepo.org/pipermail/elrepo/2017-June/003620.html
More information about the CentOS
mailing list