| 1 |
atoth-J1cgac+wqeJaB7pSnPOuKA@××××××××××××.org wrote: |
| 2 |
> On Sze, November 26, 2008 03:02, 7v5w7go9ub0o wrote: |
| 3 |
>> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, |
| 4 |
>> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I |
| 5 |
>> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of |
| 6 |
>> Linux rootkit signatures in its database, so I run Avira and Dazuko |
| 7 |
>> realtime/on-access scanning on my /home directory, the chroot jails, and |
| 8 |
>> on the portage workspace used during download and compilation. |
| 9 |
> |
| 10 |
> patch-dazuko-2.6.26 cannot be applied on 2.6.27 any more, because of some |
| 11 |
> API changes. There are signs of a redirfs-based patch for 2.6.27. I |
| 12 |
> haven't downloaded it, yet. Upstream pushes dazukofs. What type of dazuko |
| 13 |
> setup do you use? What are your experiences with redirfs or dazukofs? |
| 14 |
|
| 15 |
Sigh... yes, it becomes murky for me beyond 2.6.26. |
| 16 |
|
| 17 |
I'm presently using patch-dazuko-linux-2.6.25.diff.gz on |
| 18 |
hardened-sources-2.6.25-r10, and don't have any experience with redirfs |
| 19 |
or dazukofs. |
| 20 |
|
| 21 |
ISTM there is now (finally) a LOT of interest in real-time file access |
| 22 |
control, along with competing approaches including dazuko, dazukofs, |
| 23 |
redirfs, and "libmalware.so" (under discussion at kerneltrap). |
| 24 |
|
| 25 |
Things I'd like to pursue :-) : |
| 26 |
|
| 27 |
1. Signature and heuristic scanning of anything that downloads into my |
| 28 |
box, or anything that may be compiled from otherwise innocent looking |
| 29 |
code. Dazuko/Antivir provides that now. |
| 30 |
|
| 31 |
2. "whitelist" scanning. This would be a realtime "integrity management |
| 32 |
system" challenge/update. So if, for e.g., the MD5 of an LKM or other |
| 33 |
system file changed, the scanner would stop, popup, and challenge the |
| 34 |
validity of the modified LKM. |
| 35 |
|
| 36 |
3. "changed folder" monitoring. e.g. if I get activity in a usenet |
| 37 |
application, I could get a popup and "beep". |
Archives