Re: What is the best free HIDS for Debian

Path	csiph.com!aioe.org!bofh.it!news.nic.it!robomod
From	Elmar Stellnberger <estellnb@elstel.org>
Newsgroups	linux.debian.security
Subject	Re: What is the best free HIDS for Debian
Date	Wed, 11 May 2022 17:50:01 +0200
Message-ID	<ElWL7-eMQc-5@gated-at.bofh.it> (permalink)
References	<EiJ7H-cKEs-3@gated-at.bofh.it> <Ejlwl-d9mK-1@gated-at.bofh.it> <Ek6EV-dDUf-5@gated-at.bofh.it> <ElWL7-eMQc-7@gated-at.bofh.it>
X-Mailbox-Line	From debian-security-request@lists.debian.org Wed May 11 15:43:30 2022
Old-Return-Path	<estellnb@elstel.org>
X-Amavis-Spam-Status	No, score=-11.057 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, NICE_REPLY_A=-3.247, RCVD_IN_DNSWL_LOW=-0.7, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
X-Policyd-Weight	using cached result; rate: -5.5
MIME-Version	1.0
User-Agent	Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
Content-Language	en-US
Content-Type	text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding	8bit
X-Mailing-List	<debian-security@lists.debian.org> archive/latest/29276
List-ID	<debian-security.lists.debian.org>
List-URL	<https://lists.debian.org/debian-security/>
List-Archive	https://lists.debian.org/msgid-search/e96fccf1-019f-a8c1-655e-81bf463706b9@elstel.org
Approved	robomod@news.nic.it
Lines	52
Organization	linux.* mail to news gateway
Sender	robomod@news.nic.it
X-Original-Date	Wed, 11 May 2022 17:43:13 +0200
X-Original-Message-ID	<e96fccf1-019f-a8c1-655e-81bf463706b9@elstel.org>
X-Original-References	<62701ec7$0$18715$426a34cc@news.free.fr> <627260e6$0$24819$426a74cc@news.free.fr> <7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <2449971.LtY2Am0hN3@krushik>
Xref	csiph.com linux.debian.security:6124

Show key headers only | View raw

Dear Vitaly

On 5/10/22 05:24, Vitaly Krasheninnikov wrote:
> Hi Elmar,
> Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system.
> In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and "..._..M".
> According to the description on your website, it means the modification of the file permissions, not the actual content.
> ...
> So while I truly consider the debcheckroot very useful, I think in this case it was a false positive due to the side effects of the postinst scripts of the relevant packages.
> 
> Thank you,
> Vitaly
> 

   Thanks for pointing that out! I have not used the tool for long on my 
own, so that I forgot about the change indication marker letters. Of 
course there isn´t much you can say about the modified group and file 
permission of a file. See here what Sylvain Sécherre had written me in 
her original email:

On 5/6/22 15:05, Sylvain Sécherre wrote to estellnb@elstel.org,
(BCC possible):
 > Hello Elmar,
 > ...
 > Here's the fileserror.lis:
 > ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
 > ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755
 > ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
 > ..._..M /usr/libexec/polkit-agent-helper-1
 > ...
 > The file filesunverified.lis is very long, while pkgcorrupt.lis is empty.
 >
 > I ran debcheckroot on a possibly infected machine.
 >
 > Thank you for your help!
 >
 > Best regards,
 >
 > Sylvain

   If debcheckroot was executed inside the infected root file system, 
then no wonder it can´t find anything. The rootkits I know, and I have 
discovered and burned several root kits on blue ray, have behaved like 
this: Inside the root infected executables compare ok against the 
pristine version, but not so outside the rootkit root when you have a 
fresh boot. The fact that group and file permissions of these 
executables have changed could at least be interpreted as suspicious 
though, since normally I´d truly believe there will be nobody who 
modifies that.

Regards,
Elmar

Back to linux.debian.security | Previous | Next — Previous in thread | Find similar

Thread

What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-02 20:40 +0200
  Re: What is the best free HIDS for Debian Hannes von Haugwitz <hannes@vonhaugwitz.com> - 2022-05-02 21:00 +0200
  Re: What is the best free HIDS for Debian "Dave P." <dprowseus@gmail.com> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian Gianluca Gabrielli <ggabrielli@suse.de> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian "Darren S." <phatbuckett@gmail.com> - 2022-05-02 21:50 +0200
  Re: What is the best free HIDS for Debian mlnl <mlnl@mailbox.org> - 2022-05-03 06:30 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-03 14:40 +0200
    Re: What is the best free HIDS for Debian Jonathan Hutchins <hutchins@tarcanfel.org> - 2022-05-03 15:10 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-03 15:30 +0200
    Re: What is the best free HIDS for Debian Marc Haber <mh+debian-security@zugschlus.de> - 2022-05-04 10:10 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-04 13:40 +0200
    Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:00 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:20 +0200
        Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-08 17:20 +0200
          Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:30 +0200
            Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 20:50 +0200
              Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:50 +0200
                Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:20 +0200
              Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:50 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 00:30 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 01:00 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 10:10 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 12:50 +0200
                Re: What is the best free HIDS for Debian tmc@vandradlabs.com.au - 2022-05-09 13:40 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 14:00 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 15:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:40 +0200
          Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-13 16:30 +0200
            Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-16 12:00 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-16 13:10 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-17 12:00 +0200
      Re: What is the best free HIDS for Debian Vitaly Krasheninnikov <iam@krushik.ru> - 2022-05-10 05:40 +0200
        Re: What is the best free HIDS for Debian Richard van den Berg <richard@vdberg.org> - 2022-05-10 08:40 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-11 17:50 +0200

csiph-web