Re: What is the best free HIDS for Debian

To: Vitaly Krasheninnikov <mail@krushik.ru>, Sylvain <ssecherre@free.fr>, debian-security <debian-security@lists.debian.org>
Subject: Re: What is the best free HIDS for Debian
From: Elmar Stellnberger <estellnb@elstel.org>
Date: Wed, 11 May 2022 17:43:13 +0200
Message-id: <[🔎] e96fccf1-019f-a8c1-655e-81bf463706b9@elstel.org>
In-reply-to: <2449971.LtY2Am0hN3@krushik>
References: <[🔎] 62701ec7$0$18715$426a34cc@news.free.fr> <[🔎] 627260e6$0$24819$426a74cc@news.free.fr> <[🔎] 7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <2449971.LtY2Am0hN3@krushik>

Dear Vitaly

On 5/10/22 05:24, Vitaly Krasheninnikov wrote:

Hi Elmar,
Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system.
In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and "..._..M".
According to the description on your website, it means the modification of the file permissions, not the actual content.
...
So while I truly consider the debcheckroot very useful, I think in this case it was a false positive due to the side effects of the postinst scripts of the relevant packages.

Thank you,
Vitaly

Thanks for pointing that out! I have not used the tool for long on myown, so that I forgot about the change indication marker letters. Ofcourse there isn´t much you can say about the modified group and filepermission of a file. See here what Sylvain Sécherre had written me inher original email:


On 5/6/22 15:05, Sylvain Sécherre wrote to estellnb@elstel.org,
(BCC possible):
> Hello Elmar,
> ...
> Here's the fileserror.lis:
> ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
> ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755
> ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
> ..._..M /usr/libexec/polkit-agent-helper-1
> ...
> The file filesunverified.lis is very long, while pkgcorrupt.lis is empty.
>
> I ran debcheckroot on a possibly infected machine.
>
> Thank you for your help!
>
> Best regards,
>
> Sylvain

If debcheckroot was executed inside the infected root file system,then no wonder it can´t find anything. The rootkits I know, and I havediscovered and burned several root kits on blue ray, have behaved likethis: Inside the root infected executables compare ok against thepristine version, but not so outside the rootkit root when you have afresh boot. The fact that group and file permissions of theseexecutables have changed could at least be interpreted as suspiciousthough, since normally I´d truly believe there will be nobody whomodifies that.


Regards,
Elmar

Reply to:

References:
- What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>

Prev by Date: Re: What is the best free HIDS for Debian
Next by Date: Re: What is the best free HIDS for Debian
Previous by thread: Re: What is the best free HIDS for Debian
Next by thread: Fwd: Re: Fwd: What is the best free HIDS for Debian
Index(es):
- Date
- Thread