[CentOS] how to know when a system is compromised

Thu Nov 14 19:23:18 UTC 2019
Phil Perry <pperry at elrepo.org>

On 14/11/2019 16:57, Valeri Galtsev wrote:
> 
> 
> On 2019-11-14 10:01, Christopher Wensink wrote:
>> I have not, I'll look into that one, thanks!
>>
>> On 11/14/2019 9:48 AM, SternData wrote:
>>> Do you run rkhunter?
>>>
>>> On 11/14/19 9:40 AM, Christopher Wensink wrote:
>>>> How do you know when a Linux system has been compromised?
> 
> I'm sure you have followed the procedure how to install system and 
> services so everything is secure.
> 
> If, in a longer run no matter that you have system set up and configured 
> securely and keep updating, if still the system gets compromised, then 
> you need:
> 
> 1. compromise warming
> 2. forensic investigation
> 3. recovery from compromise.
> 
> I figure your is about 1. You probably will not get detailed description 
> of actual setup people on this list have. Information about what the 
> defense is is the first step in every attack. The best you may get are 
> the advises of what to look for.
> 
> One of the things you can set up is [host based, maybe] system integrity 
> checking system (or intrusion detection system). That only makes sense 
> on freshly installed system in known good state. There were a variety of 
> these: tripwire (which went commercial), eics, ... If you search for 
> linux intrusion detection system you should find what you need.
> 
> I hope, this helps.
> 
> Valeri
> 

I would add Trusted Path Execution (TPE) to any sysdamin's toolbox who 
cares about security. It's easy to install from elrepo.org (kmod-tpe). I 
wrote an overview (below) so won't repeat myself here, but I would 
strongly encourage people to try it out:

http://lists.elrepo.org/pipermail/elrepo/2017-June/003620.html