Re: What is the best free HIDS for Debian
On 10/05/2022 05:37, Vitaly Krasheninnikov wrote:
Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system.
In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and "..._..M".
According to the description on your website, it means the modification of the file permissions, not the actual content.
Thanks a lot for clarifying this. I found the interpretation of the
results of debcheckroot at https://www.elstel.org/debcheckroot/
On 06/05/2022 15:52, Elmar Stellnberger wrote:
Am 06.05.22 um 15:05 schrieb Sylvain Sécherre:
> Here's the fileserror.lis:
> ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
> ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root
> ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
I hope you won´t mind that I am citing the output of debcheckroot
you have given me.
These three files point to an infection with a rootkit. Don´t care
about modified configuration files like in /etc too much (but you may
still have a look at them). Executable files on the other hand must
never be modified. If these three files are different it means that
someone has altered your system. If you look at the man pages of these
executables then you also know that a maker of a rootkit would have
interest to modify exactly these files.
Since you are the author of the debcheckroot tool, why do you think that
the G (group) and M (mode) flags indicate the content of the files were
altered? Or did you make a mistake and forgot what the output of
debcheckroot actually means? If so, does this change your opinion that a
rootkit is installed on this system?