1 |
atoth-J1cgac+wqeJaB7pSnPOuKA@××××××××××××.org wrote: |
2 |
> On Sze, November 26, 2008 03:02, 7v5w7go9ub0o wrote: |
3 |
>> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, |
4 |
>> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I |
5 |
>> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of |
6 |
>> Linux rootkit signatures in its database, so I run Avira and Dazuko |
7 |
>> realtime/on-access scanning on my /home directory, the chroot jails, and |
8 |
>> on the portage workspace used during download and compilation. |
9 |
> |
10 |
> patch-dazuko-2.6.26 cannot be applied on 2.6.27 any more, because of some |
11 |
> API changes. There are signs of a redirfs-based patch for 2.6.27. I |
12 |
> haven't downloaded it, yet. Upstream pushes dazukofs. What type of dazuko |
13 |
> setup do you use? What are your experiences with redirfs or dazukofs? |
14 |
|
15 |
Sigh... yes, it becomes murky for me beyond 2.6.26. |
16 |
|
17 |
I'm presently using patch-dazuko-linux-2.6.25.diff.gz on |
18 |
hardened-sources-2.6.25-r10, and don't have any experience with redirfs |
19 |
or dazukofs. |
20 |
|
21 |
ISTM there is now (finally) a LOT of interest in real-time file access |
22 |
control, along with competing approaches including dazuko, dazukofs, |
23 |
redirfs, and "libmalware.so" (under discussion at kerneltrap). |
24 |
|
25 |
Things I'd like to pursue :-) : |
26 |
|
27 |
1. Signature and heuristic scanning of anything that downloads into my |
28 |
box, or anything that may be compiled from otherwise innocent looking |
29 |
code. Dazuko/Antivir provides that now. |
30 |
|
31 |
2. "whitelist" scanning. This would be a realtime "integrity management |
32 |
system" challenge/update. So if, for e.g., the MD5 of an LKM or other |
33 |
system file changed, the scanner would stop, popup, and challenge the |
34 |
validity of the modified LKM. |
35 |
|
36 |
3. "changed folder" monitoring. e.g. if I get activity in a usenet |
37 |
application, I could get a popup and "beep". |