Ask the SA if a root kit check tool is run on the system weekly. If this is not performed, this is a finding.
Due to the manner in which anti-virus packages are currently fielded (they run daily via a cron job, as required per GEN006640) they do not protect against the introduction of a root kit on the system. Unless the antivirus software is loaded before the kernel and run as a daemon process thereafter, use of an antivirus application is not a viable protection strategy.
The only viable process to detect for root kits is to bring the system completely down, boot the system from media that has the root kit scanner, and then scan each of the systems partitions. While it is possible that this could be performed in an automated fashion by an application such as BladeLogic it is more likely that the site/program will have to perform this activity manually to meet the requirement. |