 |
Post AtPMHMbSTOeBs51DlY by [email protected] |
 |
More posts by [email protected] |
|
Post #AtPBoZJD9i3nL07AC8 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
I'm a little rusty when it comes to Linux security, and I think I may have … |
|
|
|
Post #AtPCjUUviPIuvHjquO by [email protected] |
|
0 likes, 1 repeats |
|
|
|
From what I'm reading, the user is expected to either a) enable IMA manuall… |
|
|
|
Post #AtPCony2kt4ukqtFSq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still You can make a list of all changed files from the original packages. How… |
|
|
|
Post #AtPCoo4mLqSx5k2cxk by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@skewray that doesn't seem super feasible to monitor |
|
|
|
Post #AtPEaq0Oa6TMvgSSGG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
The reason why I'm asking is I've been reading a couple of reports, and… |
|
|
|
Post #AtPEaq6QDhIFENHGee by [email protected] |
|
0 likes, 1 repeats |
|
|
|
The general consensus I'm reading is you're expected to configure dm-ve… |
|
|
|
Post #AtPEe091LBpdFC06uu by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still IMA-EVM + an RO filesystem protected with fs-verity is probably the best… |
|
|
|
Post #AtPF025MnwYvdQnTs0 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still this is a great point. This aspect of Linux security is indeed sorely la… |
|
|
|
Post #AtPF25ly4D6HeKhnP6 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@lanodan you can remount the fs as rw if needed afaik long as you have root - w… |
|
|
|
Post #AtPFhJnQpf0B1333Y0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] I was looking into something similar some time ago and … |
|
|
|
Post #AtPFhJvwK1o7RR1qoC by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@axel My problem with all of the proposed solutions I've seen thus far is a… |
|
|
|
Post #AtPFnX9k4cbmBjRoH2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still Know very little about this topic, but from what I understand if you'… |
|
|
|
Post #AtPFswlaHYvh46jGGe by [email protected] |
|
0 likes, 1 repeats |
|
|
|
https://infosec.exchange/@still/114391292427677855 |
|
|
|
Post #AtPFxnUeBfELkk7U9o by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@deepphilosopher this is unrelated to what I'm talking about - that code si… |
|
|
|
Post #AtPGIG3ZhOao8GDHdo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still Sadly there's no support for executable signatures on Linux afaik. B… |
|
|
|
Post #AtPGIGBjD57AXY1nLk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still I mean there is support for signatures but I'm not sure if anyone us… |
|
|
|
Post #AtPGNoBGFp8jPiSHNg by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still 1. Use a package manager that validates packages on installation.Typical… |
|
|
|
Post #AtPGSf7RN9vsl1yyiO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still Figure that Linux is mostly used on servers which are increasingly Kuber… |
|
|
|
Post #AtPGSgFdAC4uGip27U by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still (this is not entirely true but is one pretty common dodge of the problem… |
|
|
|
Post #AtPGdbu7fJjHyLyQj2 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still do you know https://docs.redhat.com/en/documentation/red_hat_enterprise_… |
|
|
|
Post #AtPGgMmaLMIzwUlKDY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@tjbutt58 #1 does not address the issue of tampered binaries post-installation#… |
|
|
|
Post #AtPGgMsxxdPSGHkQAC by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still tampered binaries is why #3#2 is trivial to automate, but superceded by … |
|
|
|
Post #AtPGlzZXYIExh6LKq0 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@w00p AIDE looks fine, but the problem is it's RHEL exclusive afaik? |
|
|
|
Post #AtPGmcUErwAmNxA9UO by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still openscap scans, for instance, will validate #2, and can be run daily. Or… |
|
|
|
Post #AtPGoDTynxn1PonqKW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still yeah I think this is one of many ways that Linux desktop security now la… |
|
|
|
Post #AtPGoDa0RYbtiVceiu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still tripwire or some third party EDR are the current solutions |
|
|
|
Post #AtPGosHJ7z0xwOBnlo by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still ya |
|
|
|
Post #AtPGtzXvX5fFvjP3BY by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still tampered binaries post installation are the reason allow listing tools e… |
|
|
|
Post #AtPH1qXkt9tUKE4I1w by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still tools like tripwire/side/ samhain will report tampered binaries too, sam… |
|
|
|
Post #AtPH5KIeiA9vTwfHU0 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still i think it's distro independent: https://aide.github.io/ |
|
|
|
Post #AtPH8rNWBPAswRcky0 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@w00p ah ok I think this might be feasible then |
|
|
|
Post #AtPHLGmFZmstBq6rmS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] @[email protected] the "third party too… |
|
|
|
Post #AtPHLGsdC3zLVd5xj6 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@qrsbrwn @axel I suppose I just have not run into such systems then. Most of th… |
|
|
|
Post #AtPHMYhOQgX93wS7Jg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@tjbutt58 I'll keep this in mind, but I think another problem that stems fr… |
|
|
|
Post #AtPHMYmi6umrKQwMbY by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still that's true. Mostly, though, rpm based distros work one way, deb wor… |
|
|
|
Post #AtPHN3dvNdB92A4HiK by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@qrsbrwn @axel I suppose I just have not run into such systems then. Most of th… |
|
|
|
Post #AtPHY9DT00oRVKyrzc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still Nope! You could run it as a cron job, I guess? No idea how long it would… |
|
|
|
Post #AtPI9ZlNGGRGYKghwO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still not sure if it's really 'code signing' as such, but Redhat (… |
|
|
|
Post #AtPI9Zs6rDpItDq5RI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@aloz1 this sounds like a good solution yeah |
|
|
|
Post #AtPIA5e2j3aXQrVIxM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still the question seems a bit misleading. The concept of binary signing and v… |
|
|
|
Post #AtPIYY0SvgIyLPecNc by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still dm-verity might not even be enough. You can still mount an overlay over … |
|
|
|
Post #AtPIhnSGrU0sra4Plw by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@maubil in many of the incidents we and our peers have seen, they have already … |
|
|
|
Post #AtPKLYKyaVsLVwBAoK by [email protected] |
|
0 likes, 1 repeats |
|
|
|
Just to be clear - I'm not suggesting binary signing is the way to go or th… |
|
|
|
Post #AtPL7LFmXJHcprXMa8 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still the challenge with linux distros is that enabling this stuff by default … |
|
|
|
Post #AtPLthPhRuZlSnEcGe by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] Yeah, I get that tbh. I've been looking for somethi… |
|
|
|
Post #AtPLwWCzZ7OPa3dRFw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still I really wonder if binary signing would hold, though. You can cause equa… |
|
|
|
Post #AtPLxpvRkA551O3aIC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still in short, the tools are there, but work differently to Windows. Not rely… |
|
|
|
Post #AtPLzU9peCC85XZVsO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@kevinriggle @still r/o and noexec filesystem mounts,SystemD ProtectSystem, Pro… |
|
|
|
Post #AtPM5vOrH2IEJgfeC0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still There have been attempts to do code signing on Linux and ELF supports it… |
|
|
|
Post #AtPM9ZFRZl30lw0JtY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still doesn't an immutable Linux give you that? Or am I misunderstanding t… |
|
|
|
Post #AtPMHMbSTOeBs51DlY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still Debian variants have debsums, but its comparing to a file under /var rkh… |
|
|
|
Post #AtPMIfpQTmwtmrB1Hc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still I think you're looking for immutable distributions, Fedora Silverblu… |
|
|
|
Post #AtPOjhG5TEbdwuf1FY by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still @skewray It is trivial for any competent sysadmin and should have been a… |
|
|
|
Post #AtPT9JfqBCv09HB7aK by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still @axel I faced the same question and issue some years ago, while performi… |
|
|
|
Post #AtPUz2wdisw9HEGbC4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still I see, I'm still a bit confused on how this could realistically work… |
|
|
|
Post #AtPUz32fMTl1Zv5PaS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still I guess that the use of a Programmable ROM for the kernel would solve th… |
|
|
|
Post #AtPV5oQE7IZAGKKdyy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@vampirdaddy @kevinriggle @still yup, going with "prevent this in the firs… |
|
|
|
Post #AtPV8mTnnKkv6hQ66K by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@still that's correct. You need complete, static images of the root filesys… |
|
|
|
Post #AtPX1719kcgEOcUZMm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] @[email protected] AIDE is very good, definitel… |
|
|
|
Post #AtPqeOJ3IvXiRGJ1lI by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@axel @still Yeah, been using it in years, learnt it from SANS SEC506, an old t… |
|
|
|
Post #AtQUULJdZ4KuQzLJuy by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still @axel For me ro-fs+dm/fs-verity is something a Enterprise Linux OS vend… |
|
|
|
Post #AtQZzG6hToDv1mqwnw by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@still @axel OS vendor support would solve supply, next you need to solve deman… |
|
|
|
Post #AujEYSX4oXUeVpK9g0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@skewray @still, Debian-like systems should have debsums installed. That's … |
