Re: What is the best free HIDS for Debian

2022-05-11 Thread Elmar Stellnberger 

Dear Vitaly

On 5/10/22 05:24, Vitaly Krasheninnikov wrote:

Hi Elmar,
Thank you for debcheckroot. I think it is a great project, which makes us one 
step closer to a verifiable Debian system.
In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed 
us: "..._.GM" and "..._..M".
According to the description on your website, it means the modification of the 
file permissions, not the actual content.
...
So while I truly consider the debcheckroot very useful, I think in this case it 
was a false positive due to the side effects of the postinst scripts of the 
relevant packages.

Thank you,
Vitaly



  Thanks for pointing that out! I have not used the tool for long on my 
own, so that I forgot about the change indication marker letters. Of 
course there isn´t much you can say about the modified group and file 
permission of a file. See here what Sylvain Sécherre had written me in 
her original email:


On 5/6/22 15:05, Sylvain Sécherre wrote to estel...@elstel.org,
(BCC possible):
> Hello Elmar,
> ...
> Here's the fileserror.lis:
> ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
> ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755
> ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
> ..._..M /usr/libexec/polkit-agent-helper-1
> ...
> The file filesunverified.lis is very long, while pkgcorrupt.lis is empty.
>
> I ran debcheckroot on a possibly infected machine.
>
> Thank you for your help!
>
> Best regards,
>
> Sylvain

  If debcheckroot was executed inside the infected root file system, 
then no wonder it can´t find anything. The rootkits I know, and I have 
discovered and burned several root kits on blue ray, have behaved like 
this: Inside the root infected executables compare ok against the 
pristine version, but not so outside the rootkit root when you have a 
fresh boot. The fact that group and file permissions of these 
executables have changed could at least be interpreted as suspicious 
though, since normally I´d truly believe there will be nobody who 
modifies that.


Regards,
Elmar

External check

2022-05-11 Thread Security Tracker 
CVE-2022-1012: RESERVED
CVE-2022-1537: TODO: check
CVE-2022-1651: RESERVED
CVE-2022-1655: RESERVED
CVE-2022-1662: missing from list
CVE-2022-23267: RESERVED
CVE-2022-29117: RESERVED
CVE-2022-29145: RESERVED
CVE-2022-30293: TODO: check, Alberto Garcia is checking with upstream
CVE-2022-30294: TODO: check, Alberto Garcia is checking with upstream
--
The output might be a bit terse, but the above ids are known elsewhere,
check the references in the tracker. The second part indicates the status
of that id in the tracker at the moment the script was run.