Rollback for Linux: Malware Solutions

Discussion in 'all things UNIX' started by Searching_ _ _, Dec 26, 2009.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Jan 2, 2008
    Malware Hunting on Linux

    I wondered if there were rollback software for linux.

    I stumbled on to Bazaar

  2. chronomatic

    chronomatic Registered Member

    Apr 9, 2009
    I beg to differ with this statement. First off, in order for a rootkit to be installed, the root account must be compromised (that's what a rootkit is by definition). This means that a root process must be exposed to an attacker (either directly or through a privilege escalation). This sort of thing would be exceedingly rare, especially on a desktop machine. And on servers, any admin worth his salt will be very careful with what root processes/services are able to be accessed. The same goes for setuid and setgid binaries. This can be achieved with various hardening measures, perhaps the most important of which would be mandatory access controls (SELinux, AppArmor, Grsecurity, SMACK).

    So, no, Linux is not just as prone to rootkits as a default Windows installation (especially a Windows installation where the machine is ran as admin 24/7). As for trojans, sure. Trojans, by definition, are just socially engineered malware attacks. Viruses, no. There has never been a viable virus on the Linux platform (and as far as I know, the same goes for the other Unices).

    And I think HIDS are far less effective than using memory hardening (PaX, Exec-Shield) and MAC systems. HIDS only alert you after the fact. And I am not sure why that author left out AIDE and Tripwire.
  3. Alphalutra1

    Alphalutra1 Registered Member

    Dec 17, 2005
    Filesystem snapshots. I know lvm can do them and the new filesystem brtfs can as well.

    However, the most effortless, well integrated, well tested, snapshot system has to be in ZFS. I love it. I'm using it on FreeBSD 8-Stable right now, and its a beauty to use. All I do is
    zfs snapshot -r myzfspool@nameofsnapshot
    and it creates a snapshot of every filesystem in my pool. If I mess anything up, I can simply restore from the snapshot. All changes are recorded. These snapshots can also be backed up remotely with one command as well, selectively deleted and restored for each filesystem, etc.


Thread Status:
Not open for further replies.