topic Re: rootkits in Operating System - HP-UX

rootkits

Tommy Brown — Tue, 15 Aug 2006 09:05:46 GMT

Our security admin asked me if there was any HPUX programs/security tools to detect/protect us from rootkits. I have not seen anything regarding this in the forums. I subscribe to the HP security lists and have not seen anything there either. Is this a legitimate concern or paranoia. I do not want to miss any thing pertinent.
Thanks
Tommy

Re: rootkits

spex — Tue, 15 Aug 2006 09:23:13 GMT

Hi Tommy,

Snort offers lightweight network intrusion detection. The HP-UX port is available here:

http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/snort-2.4.5/

PCS

Re: rootkits

Peter Godron — Tue, 15 Aug 2006 09:27:26 GMT

Tommy,
in my opinion not a real concern.

On a PC you may install downloaded software, relying on virus check etc. However on HPUX you tend to only installed software from reputable sources. If you want to you could create a list of executable to be 'protected' and generate checksums, which you could compare on a regular basis.

Keep your root account safe and with the right file protection there should be no cause for alarm.

Re: rootkits

Tim Nelson — Tue, 15 Aug 2006 09:33:20 GMT

I believe the HP IDS9000 does some of this. Marks and monitors for changes in listed files.

Freely included with your OS distribution.

Re: rootkits

Robert Fritz — Wed, 16 Aug 2006 07:22:40 GMT

There's also tripwire for monitoring file checksums.

Note that when an OS is compromised with unknown-origin software... there's really nothing you can do to be sure you can detect the effects, if the installer was root/admin. On the PC, the rootkit "detectors" just detect known signatures. That's fine until the next one, or until someone builds one just for you. I was at blackhat, and there was an announced "undetectable" rootkit for Vista...

So in short on the PC Mac, Linux, and HP-UX... don't install from untrusted sources... regardless of what the "rootkit detector" vendors claim.

Re: rootkits

Steven E. Protter — Wed, 16 Aug 2006 08:17:36 GMT

Shalom Tommy,

Yes, there is a rootkit protection kit as part of Internet Express.

Inerenet Express is offered by http://software.hp.com for 11iv1 and 11iv2

Just search for Internet Express and you will see the rootkit protection among the 69 components of Internet Express.

SEP

Re: rootkits

Tommy Brown — Fri, 18 Aug 2006 12:09:05 GMT

Thanks All,
I hope to download and test out Stephen's solution when I get a chance.