Jdow,

Why are you looking at that‎ for root kit prevention?
It's a very old fashion approach, I would use the RPM's verify  command or one of the many filesystem  check sum tools available for that instead.
Either one can tell you if ‎any critical binaries or libraries have been compromised very easily and there are even tools built around them to do it on a network wide level.
Further more if you really want to make your systems resistant to root kits, readonly mount of / and /usr‎ is still your best bet, even Red Hat products like RHEV use that method on appliances.


  Original Message  
From: jdow
Sent: Wednesday, September 7, 2016 19:09
To: [log in to unmask]
Subject: Re: Re: Regarding latest Linux level 3 rootkits

Thanks Vladimir,

I suppose I could pull the necessary files from busybox as a means of keeping a 
more generic Linux system in security trim. This might be a useful tool set to 
suggest upstream. A statically linked less would allow a quick check for the 
hidden user. A statically linked chkrootkit would find the bad file size for the 
affected glib libraries.

{^_^} Joanne

On 2016-09-07 03:36, Vladimir Mosgalin wrote:
> Hi jdow!
>‎
> On 2016.09.06 at 23:15:04 -0700, jdow wrote next:
>
>> Is there any source for a VI, VIM, or even EMACS that has all libraries
>> compiled into it statically? That would make monitoring for the rootkit much
>> easier. The same could be said for utilities such as chkrootkit. With
>> compiled in static libraries these level three (user space) rootkits can't
>> edit the results you get, as easily. (Any file system components in user
>> space would also have to be statically linked.)
>
> Busybox would work. It's usually build statically (either that, or it's
> easy to make that kind of build) and includes vi clone. Very poor man's
> vi, just like other busybox utilities, but nevertheless. Current version
> supports some neat stuff like autoindent and undo.
>