Tyton is a lightweight, open-source kernel-mode rootkit detection tool for Linux systems. Designed to identify stealthy kernel-level threats, Tyton offers a focused approach to uncovering hidden modules and system call table hooks.
Key Features
- Rootkit Detection: Identifies hidden modules, syscall table hooks, and other common rootkit techniques.
- User Notifications: Includes a userland daemon that monitors journald logs and provides desktop notifications using libnotify.
- DKMS Support: Dynamic Kernel Module Support for seamless integration with kernel updates on distributions like Arch and Fedora.
Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.
DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.
Installation
Linux Kernel 4.4.0-31 or greater
- Corresponding Linux Kernel Headers
- GCC
- Make
- Libnotify
- Libsystemd
- Package Config
- GTK3
To install: (be aware of above dependencies)
sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev git clone https://github.com/nbulischeck/tyton.git cd tyton make sudo insmod tyton.ko |
Note: For Ubuntu 14.04, replace libsystemd-dev with libsystemd-journal-dev.
Considerations
- Archived Project: Tyton is no longer actively maintained; the repository is archived and read-only.
- Kernel Compatibility: May require adjustments for compatibility with newer kernel versions.
- Limited Scope: Focused solely on rootkit detection without broader intrusion detection capabilities.
While Tyton provides a targeted approach to rootkit detection, its archived status and limited scope may necessitate exploring more actively maintained and comprehensive security tools for robust system protection.