Re: What is the best free HIDS for Debian

To: Sylvain <ssecherre@free.fr>, debian-security <debian-security@lists.debian.org>
Subject: Re: What is the best free HIDS for Debian
From: Elmar Stellnberger <estellnb@elstel.org>
Date: Tue, 17 May 2022 11:54:17 +0200
Message-id: <[🔎] 0311a689-d71c-3329-be29-ea6e798c60ec@elstel.org>
In-reply-to: <[🔎] 62821baa$0$26333$426a74cc@news.free.fr>
References: <[🔎] 62701ec7$0$18715$426a34cc@news.free.fr> <[🔎] 627260e6$0$24819$426a74cc@news.free.fr> <[🔎] 7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <[🔎] 42898050-0dea-3cfb-3462-0a58452182e5@elstel.org> <8135fc53-727b-4cf5-1811-8bbd521f395b@free.fr> <c77e6c54-059c-190c-4709-1bff606c162b@elstel.org> <[🔎] 4c83923c-b291-82d5-3799-fd06b1c279d4@elstel.org> <EkTYZ-e95f-1@gated-at.bofh.it> <[🔎] 627e64e1$0$18723$426a74cc@news.free.fr> <[🔎] 62821baa$0$26333$426a74cc@news.free.fr>


Am 16.05.22 um 11:38 schrieb Sylvain:

Hello,
Here's the result of debcheckroot on an entirely fresh install ofdebian, without any access to the internet from a browser or a mailclient. I only:
- ran "apt update" to test my internet connection
- copied files on a USB stick

Here's the fileserror.lis:
..._..M /usr/libexec/polkit-agent-helper-1policykit-1_0.105-31+deb11u1_amd64 root root 755
..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755
..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
.._L... /usr/share/dict/words american-englishwamerican_2019.10.06-1_all root root 777..._.GM /usr/lib/dbus-1.0/dbus-daemon-launch-helper dbus_1.12.20-2_amd64root root 755



Dear Sylvain
Dear readers of debian-security

I have now analyzed these packages and in deed policykit sets setuidpermissions in the postinst script manually instead of having thesefiles unpacked with setuid bit set. This in order to honordpkg-statoverride --list. However the problem for debcheckroot is thatit can hardly analyze the postinst scripts; analyzing program logicwould be turing complete and every postinst script is different.


policykit: calls set_perms if no statoverride present
cron: package configures dpkg-statoverride on its own
openssh-client: direct chmod, chgrp if no statoverride present
dbus: invokes dpkg-statoverride if not yet present

Almost each of these packages would need its own logic for scanningthe postinst script for setuid/chown/chgrp changes. Since there are onlya limited number of such setuid programs it would be doable but probablynot worth doing since as it turned out you can never truly rely merelyon file modes any way.Debcheckroot was designed to detect file content alterations and ithas several ways to do so. If this feature is not used you don´t getmeaningful output information.

So this time it was a false alarm. Debcheckroot did not detectanything, but in order for debcheckroot to be able to detect somethingyou need to follow the recommendations athttps://www.elstel.org/debcheckroot/. Most important is - do not scanfrom inside of the infected system. This does almost never give usableinformation.Please also excuse that I did not remember the docs correctly. I havenot used the program on my own for quite a long time now. My mainproductive system has been running on Mageia and so applyingdebcheckroot was no more option for me.

Finally I wanna conclude that this does certainly not mean Sylvain´ssystem was/is clean. Normally if you have a suspicion like him you don´thave that without reason. Also I have seen many rootkits not detected byrkhunter and chkrootkit, but yes by debcheckroot (I still have blue rayimages of these incidents). If debcheckroot is not applied correctly itwon´t yield any good result however. Besides this it is already quite along time ago since I had developed that script and perhaps today´srootkits are more prudent like the suggested memory only rootkits. Toscan for this I would need to develop something like debcheckinitrd.Doable, but if there is little true known interest I won´t do thatwithout any reward since my own interest is different. I just know fromthe weblogs that a South American university is using it besides someprivate people.

The only thing that speaks for Sylvain´s initial allegation is thathere appear to be posting people on this list who wiretap our privatecommunication. He said "Feel free to cite me even if it WAS A PRIVATEEMAIL". - and that private email got cited by Michael Lazin posting onthis list. Sylvain would have told me if the email was not privatebecause this was my question. It is the only thing provable for me now.Also I have noted that several emails addressed only to me got posted tothe whole list. I simply don´t believe that Sylvain would do thatintentionally for several times. At least I have not heard anyexplanation for it by him. I´d also believe there is no reason tointerfere with me helping Sylvain if none of us were targeted in someway. I have asked Sylvain multiple times to repeat the scan fromout of aclean boot CD, because that could have been interesting. As far as whathas reached me, he did not do that yet.


Regards,
Elmar Stellnberger

Reply to:

References:
- What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>

Prev by Date: Re: What is the best free HIDS for Debian
Next by Date: Array IBM x3100 M4
Previous by thread: Re: What is the best free HIDS for Debian
Next by thread: Re: What is the best free HIDS for Debian
Index(es):
- Date
- Thread