UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A root kit check tool must be run on the system at least weekly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22575 GEN008380 SV-63207r2_rule DCSL-1 Medium
Description
Root kits are software packages designed to conceal the compromise of a system from the SA. Root kit checking tools examine a system for evidence that a root kit is installed. Dedicated root kit detection software or root kit detection capabilities included in anti-virus packages may be used to satisfy this requirement.
STIG Date
Oracle Linux 5 Security Technical Implementation Guide 2015-06-05

Details

Check Text ( C-51929r3_chk )
Ask the SA if a root kit check tool is run on the system weekly.

If this is not performed, this is a finding.

Due to the manner in which anti-virus packages are currently fielded (they run daily via a cron job, as required per GEN006640) they do not protect against the introduction of a root kit on the system. Unless the antivirus software is loaded before the kernel and run as a daemon process thereafter, use of an antivirus application is not a viable protection strategy.

The only viable process to detect for root kits is to bring the system completely down, boot the system from media that has the root kit scanner, and then scan each of the systems partitions. While it is possible that this could be performed in an automated fashion by an application such as BladeLogic it is more likely that the site/program will have to perform this activity manually to meet the requirement.
Fix Text (F-53783r2_fix)
Create an automated job or establish a site-defined procedure to check the system weekly with a root kit check tool.