A root kit check tool must be run on the system at least weekly.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22575	GEN008380	SV-63207r2_rule	DCSL-1	Medium

Description
Root kits are software packages designed to conceal the compromise of a system from the SA. Root kit checking tools examine a system for evidence that a root kit is installed. Dedicated root kit detection software or root kit detection capabilities included in anti-virus packages may be used to satisfy this requirement.

STIG	Date
Oracle Linux 5 Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-51929r3_chk )
Ask the SA if a root kit check tool is run on the system weekly. If this is not performed, this is a finding. Due to the manner in which anti-virus packages are currently fielded (they run daily via a cron job, as required per GEN006640) they do not protect against the introduction of a root kit on the system. Unless the antivirus software is loaded before the kernel and run as a daemon process thereafter, use of an antivirus application is not a viable protection strategy. The only viable process to detect for root kits is to bring the system completely down, boot the system from media that has the root kit scanner, and then scan each of the systems partitions. While it is possible that this could be performed in an automated fashion by an application such as BladeLogic it is more likely that the site/program will have to perform this activity manually to meet the requirement.

Check Text ( C-51929r3_chk )

Ask the SA if a root kit check tool is run on the system weekly.

If this is not performed, this is a finding.

Due to the manner in which anti-virus packages are currently fielded (they run daily via a cron job, as required per GEN006640) they do not protect against the introduction of a root kit on the system. Unless the antivirus software is loaded before the kernel and run as a daemon process thereafter, use of an antivirus application is not a viable protection strategy.

The only viable process to detect for root kits is to bring the system completely down, boot the system from media that has the root kit scanner, and then scan each of the systems partitions. While it is possible that this could be performed in an automated fashion by an application such as BladeLogic it is more likely that the site/program will have to perform this activity manually to meet the requirement.

Fix Text (F-53783r2_fix)
Create an automated job or establish a site-defined procedure to check the system weekly with a root kit check tool.