Re: What is the best free HIDS for Debian
Rkhunter does find patterns of known rootkits but it also finds indicators like memory anomalies like I mentioned and it logs each file change from the install, this is why ideally you should install it in a fresh system. Thanks. Michael Lazin On Sun, May 8, 2022 at 3:45 PM wrote: > Am 08.05.2022 20:43, schrieb estel...@elstel.org: > > P.S.: A memory only rootkit would still need a hook to reinstall on a > > fresh boot. > >Yes I know it is an issue. Debcheckroot does f.i. not check you > initrd. To fix this issue I would need to program an own piece of > software like debcheckinitrd. Anyone who wants to support me can do > this: https://www.elstel.org/Contact.html. I am a free developer and I > do not get paid for my open source related work. > -- Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
Re: What is the best free HIDS for Debian
Am 08.05.2022 20:43, schrieb estel...@elstel.org: P.S.: A memory only rootkit would still need a hook to reinstall on a fresh boot. Yes I know it is an issue. Debcheckroot does f.i. not check you initrd. To fix this issue I would need to program an own piece of software like debcheckinitrd. Anyone who wants to support me can do this: https://www.elstel.org/Contact.html. I am a free developer and I do not get paid for my open source related work.
[SECURITY] [DSA 5132-1] ecdsautils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5132-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 08, 2022 https://www.debian.org/security/faq - - Package: ecdsautils CVE ID : CVE-2022-24884 It was discovered that ecdsautils, a collection of ECDSA elliptic curve cryptography CLI tools verified some cryptographic signatures incorrectly: A signature consisting only of zeroes was always considered valid, making it trivial to forge signatures. For the oldstable distribution (buster), this problem has been fixed in version 0.3.2+git20151018-2+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 0.3.2+git20151018-2+deb11u1. We recommend that you upgrade your ecdsautils packages. For the detailed security status of ecdsautils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ecdsautils Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJ4FFEACgkQEMKTtsN8 TjYO9hAAjAKD3Xxs4N1zf5ANmW12mYfeMwfVPKX/X935afJ8HVj+EV8t5xY6a3bL aMIPTYJTLMzlGCqqW6nRRAO6U3wa19jJ/we6KSGusRH8hf5yKMU0CT4JZtp85q8h xQMsVNry1LjEIhlJLiEX/+l5th2KZZ/XtweL3ZhpqR7LeJpUClJ/u4m0T6yL6czt 8jAwUN+hB4lGJBFI7656UFLE1ck7+KEjiDL66YM22HtamjOpwaR3D4KhMKJtbuoZ nqde4YM0d+VzaVerbrIkrKcr0O51PQDjjYgmS6nQunrEMOiZYMDQM3EJWtul4NIh uBs+szC5U/F+5vV4V8zQlAJ+xmZoNB/enPnwexRabt0j0qYXMe2SJXMjgNFTJtZG WiUgqfWxy/kcOG1O2hoVTsCr4AK7VDTdebpThqUEH+I61cx9V6RdX5K5zvXqU1Nm SlBdCj5SFLaC6Y5aYpkot5fJ6AZM1kneyVxjbacs4rRpsQ0zkSBnMkSEsTTgtiH+ kyr5qFet39hzUJ2e3k/P/qtvIMsDvwaF45G3yE01S1/rrBZLtpG9PdtU86pNYkhC cRqu2G0NRHPi2hb+/nscbGhotn2QWwwoOIwX1K0yR7C5rK4x2864kYcZLNMN2ZTd yJvT4Krr1XImRIekcgRO3oYigvCQwq8rnCo1HFjuLxcW1xTYi/Y= =PwJV -END PGP SIGNATURE-
Re: What is the best free HIDS for Debian
Am 08.05.2022 20:48, schrieb Michael Lazin: SELinux was made by the NSA but it open source, anyone can review the source code, this is part of what makes open source software reliable, it gets seen by many eyes, and even if you don’t review every line of code yourself you have a web of trust that someone has reviewed it, and it is strengthened by key signing which is more common in the Debian community. Thank you. Michael Lazin If you talk about SELinux then let me talk about the times when Apparmor was not a default component to be installed, when I was creating and sharing Apparmor profiles to keep this technology supported. Sure, I have also read into SELinux. It can offer a better level of security, but it is more difficult to create profiles for it. The thing about rkhunter as I learned to know it was that it can only detect known rootkits. So who is adding NSA rootkits then? I am sure the NSA knows to prevent this. It would be nice to know about the circle of people who add rootkit descriptions/ detection code. Any way, if they have written the software, they will always know about the quirks and intricacies to avoid detection when it comes for them to deploy their own rootkits.
Re: What is the best free HIDS for Debian
SELinux was made by the NSA but it open source, anyone can review the source code, this is part of what makes open source software reliable, it gets seen by many eyes, and even if you don’t review every line of code yourself you have a web of trust that someone has reviewed it, and it is strengthened by key signing which is more common in the Debian community. Thank you. Michael Lazin On Sun, May 8, 2022 at 2:43 PM wrote: > Am 08.05.22 um 20:21 schrieb Michael Lazin:> I think if you have a root > kit it is very unlikely to get rid of it > > without backing up and reimaging but you may be able to achieve it if > > you try first rkhunter and second apparmor which is similar to selinux > > which was developed by the nsa and made accessible as a Red Hat > > package. Both solutions have the ability to limit what root can do and > > is your only real option for saving a rooted system. It is important > > that if you try this that you dump your memory rkunter picks up a > > memory > > anomaly. Fileless malware is popular among sophisticated threat actors > > and rkhunter is equipped to find malware that resides in memory. > > Apparmor is included in Debian. > > > > Thanks, > > Michael Lazin >Yes, it would be really interesting if rkhunter has also found the > rootkit. If it was developed by the NSA, I am sure it would not find a > rootkit used by the NSA. To my knowledge Apparmor was first developed as > part of openSUSE. I can remember having filed them a report with the > quest to keep Apparmor as it is more easy to use than SELinux. > > Elmar > > P.S.: A memory only rootkit would still need a hook to reinstall on a > fresh boot. > -- Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
Re: What is the best free HIDS for Debian
Am 08.05.22 um 20:21 schrieb Michael Lazin:> I think if you have a root kit it is very unlikely to get rid of it without backing up and reimaging but you may be able to achieve it if you try first rkhunter and second apparmor which is similar to selinux which was developed by the nsa and made accessible as a Red Hat package. Both solutions have the ability to limit what root can do and is your only real option for saving a rooted system. It is important that if you try this that you dump your memory rkunter picks up a memory anomaly. Fileless malware is popular among sophisticated threat actors and rkhunter is equipped to find malware that resides in memory. Apparmor is included in Debian. Thanks, Michael Lazin Yes, it would be really interesting if rkhunter has also found the rootkit. If it was developed by the NSA, I am sure it would not find a rootkit used by the NSA. To my knowledge Apparmor was first developed as part of openSUSE. I can remember having filed them a report with the quest to keep Apparmor as it is more easy to use than SELinux. Elmar P.S.: A memory only rootkit would still need a hook to reinstall on a fresh boot.
Re: What is the best free HIDS for Debian
Hi Sylvain If you also care about the package selection you have installed you may do a 'dpkg -l' or copy /var/lib/dpkg/status. Possibly I will write something to clean the status file from packages that will be installed implicitly as dependency. Under Mageia you can use urpmi_rpm-find-leaves for that. Possibly also ask at a Debian mailing list (and tell me about it). I also forgot that you should possibly cp -a /etc /media/usbdisk to save configuration files for later lookup. The /etc directory is not that big and you can copy it. Elmar On 08.05.22 17:15, Elmar Stellnberger wrote: On 08.05.22 16:51, Sylvain Sécherre wrote: I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this. Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a safe place and then reinstall the package cron. The new "crontab" file seems to be the same as the previous since the md5 are equal, but debcheckroot still throws an error for it... Dear Sylvain No, I don´t think you can get rid of the rootkit by reinstalling a package. Usually rootkits are designed in a way that updating or reinstalling packages doesn´t damage the rootkit. The best thing to do is to reinstall new from scratch. In order to do this without complications I have an own home partition that I can register and reuse with /etc/fstab. If you don´t have that make a > cp -a /home /mnt/usbhdd/home However that is not all you need to respect. Basically any infected file can cause the rootkit to get reinstalled on your computer. That can also be the case for hidden files in your home directory like /home/sylvain/.* I always do it like this: > cd /home/sylvain > ls -lad .[^.]* > mkdir /mnt/usbhdd/hidden-quarantine > mv .[^.]* /mnt/usbhdd/hidden-quarantine the .[^.]* - expression works like this: * first match anything that starts with a dot (under Linux hidden files start with dots) * second match a character that is not a dot [^.]: This excludes .. which denotes the parent directory. This one should of course not be copied * third match any from zero up to more characters: * Make sure that you move away the hidden files before you copy your home directory back. Moving away hidden home directory files will also reset your Firefox bookmarks and saved passwords. If you have progressed this far I can tell you how to reinstall them - and under normal circumstances reusing a database file should not cause a rootkit to reinstall. If you are very thorough you can export the bookmarks as html and write down all saved passwords on a sheet of paper. You need to know however that getting rid of a rootkit with 100% certainty is hard since basically any binary file can result in an attack vector. If you have progressed this far, sure I am going to continue to help you with setting up a new installation and rescuing bookmarks (at least for FF). Kind Regards, Elmar
Re: What is the best free HIDS for Debian
On 08.05.22 16:51, Sylvain Sécherre wrote: I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this. Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a safe place and then reinstall the package cron. The new "crontab" file seems to be the same as the previous since the md5 are equal, but debcheckroot still throws an error for it... Dear Sylvain No, I don´t think you can get rid of the rootkit by reinstalling a package. Usually rootkits are designed in a way that updating or reinstalling packages doesn´t damage the rootkit. The best thing to do is to reinstall new from scratch. In order to do this without complications I have an own home partition that I can register and reuse with /etc/fstab. If you don´t have that make a cp -a /home /mnt/usbhdd/home However that is not all you need to respect. Basically any infected file can cause the rootkit to get reinstalled on your computer. That can also be the case for hidden files in your home directory like /home/sylvain/.* I always do it like this: cd /home/sylvain ls -lad .[^.]* mkdir /mnt/usbhdd/hidden-quarantine mv .[^.]* /mnt/usbhdd/hidden-quarantine the .[^.]* - expression works like this: * first match anything that starts with a dot (under Linux hidden files start with dots) * second match a character that is not a dot [^.]: This excludes .. which denotes the parent directory. This one should of course not be copied * third match any from zero up to more characters: * Make sure that you move away the hidden files before you copy your home directory back. Moving away hidden home directory files will also reset your Firefox bookmarks and saved passwords. If you have progressed this far I can tell you how to reinstall them - and under normal circumstances reusing a database file should not cause a rootkit to reinstall. If you are very thorough you can export the bookmarks as html and write down all saved passwords on a sheet of paper. You need to know however that getting rid of a rootkit with 100% certainty is hard since basically any binary file can result in an attack vector. If you have progressed this far, sure I am going to continue to help you with setting up a new installation and rescuing bookmarks (at least for FF). Kind Regards, Elmar
Re: What is the best free HIDS for Debian
On 08.05.22 16:51, Sylvain Sécherre wrote: I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this. Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a safe place and then reinstall the package cron. The new "crontab" file seems to be the same as the previous since the md5 are equal, but debcheckroot still throws an error for it... Dear Sylvain No, I don´t think you can get rid of the rootkit by reinstalling a package. Usually rootkits are designed in a way that updating or reinstalling packages doesn´t damage the rootkit. The best thing to do is to reinstall new from scratch. In order to do this without complications I have an own home partition that I can register and reuse with /etc/fstab. If you don´t have that make a cp -a /home /mnt/usbhdd/home However that is not all you need to respect. Basically any infected file can cause the rootkit to get reinstalled on your computer. That can also be the case for hidden files in your home directory like /home/sylvain/.* I always do it like this: cd /home/sylvain ls -lad .[^.]* mkdir /mnt/usbhdd/hidden-quarantine mv .[^.]* /mnt/usbhdd/hidden-quarantine the .[^.]* - expression works like this: * first match anything that starts with a dot (under Linux hidden files start with dots) * second match a character that is not a dot [^.]: This excludes .. which denotes the parent directory. This one should of course not be copied * third match any from zero up to more characters: * Make sure that you move away the hidden files before you copy your home directory back. Moving away hidden home directory files will also reset your Firefox bookmarks and saved passwords. If you have progressed this far I can tell you how to reinstall them - and under normal circumstances reusing a database file should not cause a rootkit to reinstall. If you are very thorough you can export the bookmarks as html and write down all saved passwords on a sheet of paper. You need to know however that getting rid of a rootkit with 100% certainty is hard since basically any binary file can result in an attack vector. If you have progressed this far, sure I am going to continue to help you with setting up a new installation and rescuing bookmarks (at least for FF). Kind Regards, Elmar
Re: What is the best free HIDS for Debian
I think if you have a root kit it is very unlikely to get rid of it without backing up and reimaging but you may be able to achieve it if you try first rkhunter and second apparmor which is similar to selinux which was developed by the nsa and made accessible as a Red Hat package. Both solutions have the ability to limit what root can do and is your only real option for saving a rooted system. It is important that if you try this that you dump your memory rkunter picks up a memory anomaly. Fileless malware is popular among sophisticated threat actors and rkhunter is equipped to find malware that resides in memory. Apparmor is included in Debian. Thanks, Michael Lazin On Sun, May 8, 2022 at 11:18 AM Sylvain wrote: > Dear Elmar, > > Thank you for your help. I really appreciate very much. > > I thought a lot about your answer and I feel a bit tricky... I > understand what you're writing but I don't know how to do this. > > Do you think I can simply get rid of these rootkit? I've tried to move > the file "crontab" in a safe place and then reinstall the package cron. > The new "crontab" file seems to be the same as the previous since the > md5 are equal, but debcheckroot still throws an error for it... > > Regards > > Sylvain > > Le 06/05/2022 à 16:20, Elmar Stellnberger a écrit : > > Dear Sylvain > > > > The next thing I would do is create a timeline. Mount the partition with > > noatime so that access times are preserved as they are on new file > > operations and then let find output access, modification and creation > > time of all files. Look on when these three executables have been > > modified/created and then search back on what has happened at the > > earliest time right before the rootkit has been installed. Once I > > analysed a system of mine like this and found out that some suspicious > > files had been uploaded in the ~/.skype directory. If I remember back I > > think I had used vim for it but it should also be possible to use sth. > > like sort. > > > > Regards > > E. > > -- Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
Re: What is the best free HIDS for Debian
Dear Elmar, Thank you for your help. I really appreciate very much. I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this. Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a safe place and then reinstall the package cron. The new "crontab" file seems to be the same as the previous since the md5 are equal, but debcheckroot still throws an error for it... Regards Sylvain Le 06/05/2022 à 16:20, Elmar Stellnberger a écrit : Dear Sylvain The next thing I would do is create a timeline. Mount the partition with noatime so that access times are preserved as they are on new file operations and then let find output access, modification and creation time of all files. Look on when these three executables have been modified/created and then search back on what has happened at the earliest time right before the rootkit has been installed. Once I analysed a system of mine like this and found out that some suspicious files had been uploaded in the ~/.skype directory. If I remember back I think I had used vim for it but it should also be possible to use sth. like sort. Regards E.
External check
CVE-2022-26491: RESERVED CVE-2022-29167: TODO: check CVE-2022-29173: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
