Post AtPMHMbSTOeBs51DlY by [email protected] | |
More posts by [email protected] | |
Post #AtPBoZJD9i3nL07AC8 by [email protected] | |
0 likes, 1 repeats | |
I'm a little rusty when it comes to Linux security, and I think I may have … | |
Post #AtPCjUUviPIuvHjquO by [email protected] | |
0 likes, 1 repeats | |
From what I'm reading, the user is expected to either a) enable IMA manuall… | |
Post #AtPCony2kt4ukqtFSq by [email protected] | |
0 likes, 0 repeats | |
@still You can make a list of all changed files from the original packages. How… | |
Post #AtPCoo4mLqSx5k2cxk by [email protected] | |
0 likes, 1 repeats | |
@skewray that doesn't seem super feasible to monitor | |
Post #AtPEaq0Oa6TMvgSSGG by [email protected] | |
0 likes, 0 repeats | |
The reason why I'm asking is I've been reading a couple of reports, and… | |
Post #AtPEaq6QDhIFENHGee by [email protected] | |
0 likes, 1 repeats | |
The general consensus I'm reading is you're expected to configure dm-ve… | |
Post #AtPEe091LBpdFC06uu by [email protected] | |
0 likes, 1 repeats | |
@still IMA-EVM + an RO filesystem protected with fs-verity is probably the best… | |
Post #AtPF025MnwYvdQnTs0 by [email protected] | |
0 likes, 1 repeats | |
@still this is a great point. This aspect of Linux security is indeed sorely la… | |
Post #AtPF25ly4D6HeKhnP6 by [email protected] | |
0 likes, 1 repeats | |
@lanodan you can remount the fs as rw if needed afaik long as you have root - w… | |
Post #AtPFhJnQpf0B1333Y0 by [email protected] | |
0 likes, 0 repeats | |
@[email protected] I was looking into something similar some time ago and … | |
Post #AtPFhJvwK1o7RR1qoC by [email protected] | |
0 likes, 1 repeats | |
@axel My problem with all of the proposed solutions I've seen thus far is a… | |
Post #AtPFnX9k4cbmBjRoH2 by [email protected] | |
0 likes, 0 repeats | |
@still Know very little about this topic, but from what I understand if you'… | |
Post #AtPFswlaHYvh46jGGe by [email protected] | |
0 likes, 1 repeats | |
https://infosec.exchange/@still/114391292427677855 | |
Post #AtPFxnUeBfELkk7U9o by [email protected] | |
0 likes, 0 repeats | |
@deepphilosopher this is unrelated to what I'm talking about - that code si… | |
Post #AtPGIG3ZhOao8GDHdo by [email protected] | |
0 likes, 0 repeats | |
@still Sadly there's no support for executable signatures on Linux afaik. B… | |
Post #AtPGIGBjD57AXY1nLk by [email protected] | |
0 likes, 0 repeats | |
@still I mean there is support for signatures but I'm not sure if anyone us… | |
Post #AtPGNoBGFp8jPiSHNg by [email protected] | |
0 likes, 1 repeats | |
@still 1. Use a package manager that validates packages on installation.Typical… | |
Post #AtPGSf7RN9vsl1yyiO by [email protected] | |
0 likes, 0 repeats | |
@still Figure that Linux is mostly used on servers which are increasingly Kuber… | |
Post #AtPGSgFdAC4uGip27U by [email protected] | |
0 likes, 0 repeats | |
@still (this is not entirely true but is one pretty common dodge of the problem… | |
Post #AtPGdbu7fJjHyLyQj2 by [email protected] | |
0 likes, 1 repeats | |
@still do you know https://docs.redhat.com/en/documentation/red_hat_enterprise_… | |
Post #AtPGgMmaLMIzwUlKDY by [email protected] | |
0 likes, 0 repeats | |
@tjbutt58 #1 does not address the issue of tampered binaries post-installation#… | |
Post #AtPGgMsxxdPSGHkQAC by [email protected] | |
0 likes, 1 repeats | |
@still tampered binaries is why #3#2 is trivial to automate, but superceded by … | |
Post #AtPGlzZXYIExh6LKq0 by [email protected] | |
0 likes, 1 repeats | |
@w00p AIDE looks fine, but the problem is it's RHEL exclusive afaik? | |
Post #AtPGmcUErwAmNxA9UO by [email protected] | |
0 likes, 1 repeats | |
@still openscap scans, for instance, will validate #2, and can be run daily. Or… | |
Post #AtPGoDTynxn1PonqKW by [email protected] | |
0 likes, 0 repeats | |
@still yeah I think this is one of many ways that Linux desktop security now la… | |
Post #AtPGoDa0RYbtiVceiu by [email protected] | |
0 likes, 0 repeats | |
@still tripwire or some third party EDR are the current solutions | |
Post #AtPGosHJ7z0xwOBnlo by [email protected] | |
0 likes, 1 repeats | |
@still ya | |
Post #AtPGtzXvX5fFvjP3BY by [email protected] | |
0 likes, 1 repeats | |
@still tampered binaries post installation are the reason allow listing tools e… | |
Post #AtPH1qXkt9tUKE4I1w by [email protected] | |
0 likes, 1 repeats | |
@still tools like tripwire/side/ samhain will report tampered binaries too, sam… | |
Post #AtPH5KIeiA9vTwfHU0 by [email protected] | |
0 likes, 1 repeats | |
@still i think it's distro independent: https://aide.github.io/ | |
Post #AtPH8rNWBPAswRcky0 by [email protected] | |
0 likes, 1 repeats | |
@w00p ah ok I think this might be feasible then | |
Post #AtPHLGmFZmstBq6rmS by [email protected] | |
0 likes, 0 repeats | |
@[email protected] @[email protected] the "third party too… | |
Post #AtPHLGsdC3zLVd5xj6 by [email protected] | |
0 likes, 1 repeats | |
@qrsbrwn @axel I suppose I just have not run into such systems then. Most of th… | |
Post #AtPHMYhOQgX93wS7Jg by [email protected] | |
0 likes, 0 repeats | |
@tjbutt58 I'll keep this in mind, but I think another problem that stems fr… | |
Post #AtPHMYmi6umrKQwMbY by [email protected] | |
0 likes, 1 repeats | |
@still that's true. Mostly, though, rpm based distros work one way, deb wor… | |
Post #AtPHN3dvNdB92A4HiK by [email protected] | |
0 likes, 1 repeats | |
@qrsbrwn @axel I suppose I just have not run into such systems then. Most of th… | |
Post #AtPHY9DT00oRVKyrzc by [email protected] | |
0 likes, 0 repeats | |
@still Nope! You could run it as a cron job, I guess? No idea how long it would… | |
Post #AtPI9ZlNGGRGYKghwO by [email protected] | |
0 likes, 0 repeats | |
@still not sure if it's really 'code signing' as such, but Redhat (… | |
Post #AtPI9Zs6rDpItDq5RI by [email protected] | |
0 likes, 0 repeats | |
@aloz1 this sounds like a good solution yeah | |
Post #AtPIA5e2j3aXQrVIxM by [email protected] | |
0 likes, 0 repeats | |
@still the question seems a bit misleading. The concept of binary signing and v… | |
Post #AtPIYY0SvgIyLPecNc by [email protected] | |
0 likes, 1 repeats | |
@still dm-verity might not even be enough. You can still mount an overlay over … | |
Post #AtPIhnSGrU0sra4Plw by [email protected] | |
0 likes, 1 repeats | |
@maubil in many of the incidents we and our peers have seen, they have already … | |
Post #AtPKLYKyaVsLVwBAoK by [email protected] | |
0 likes, 1 repeats | |
Just to be clear - I'm not suggesting binary signing is the way to go or th… | |
Post #AtPL7LFmXJHcprXMa8 by [email protected] | |
0 likes, 1 repeats | |
@still the challenge with linux distros is that enabling this stuff by default … | |
Post #AtPLthPhRuZlSnEcGe by [email protected] | |
0 likes, 0 repeats | |
@[email protected] Yeah, I get that tbh. I've been looking for somethi… | |
Post #AtPLwWCzZ7OPa3dRFw by [email protected] | |
0 likes, 0 repeats | |
@still I really wonder if binary signing would hold, though. You can cause equa… | |
Post #AtPLxpvRkA551O3aIC by [email protected] | |
0 likes, 0 repeats | |
@still in short, the tools are there, but work differently to Windows. Not rely… | |
Post #AtPLzU9peCC85XZVsO by [email protected] | |
0 likes, 0 repeats | |
@kevinriggle @still r/o and noexec filesystem mounts,SystemD ProtectSystem, Pro… | |
Post #AtPM5vOrH2IEJgfeC0 by [email protected] | |
0 likes, 0 repeats | |
@still There have been attempts to do code signing on Linux and ELF supports it… | |
Post #AtPM9ZFRZl30lw0JtY by [email protected] | |
0 likes, 0 repeats | |
@still doesn't an immutable Linux give you that? Or am I misunderstanding t… | |
Post #AtPMHMbSTOeBs51DlY by [email protected] | |
0 likes, 0 repeats | |
@still Debian variants have debsums, but its comparing to a file under /var rkh… | |
Post #AtPMIfpQTmwtmrB1Hc by [email protected] | |
0 likes, 0 repeats | |
@still I think you're looking for immutable distributions, Fedora Silverblu… | |
Post #AtPOjhG5TEbdwuf1FY by [email protected] | |
0 likes, 1 repeats | |
@still @skewray It is trivial for any competent sysadmin and should have been a… | |
Post #AtPT9JfqBCv09HB7aK by [email protected] | |
0 likes, 1 repeats | |
@still @axel I faced the same question and issue some years ago, while performi… | |
Post #AtPUz2wdisw9HEGbC4 by [email protected] | |
0 likes, 0 repeats | |
@still I see, I'm still a bit confused on how this could realistically work… | |
Post #AtPUz32fMTl1Zv5PaS by [email protected] | |
0 likes, 0 repeats | |
@still I guess that the use of a Programmable ROM for the kernel would solve th… | |
Post #AtPV5oQE7IZAGKKdyy by [email protected] | |
0 likes, 0 repeats | |
@vampirdaddy @kevinriggle @still yup, going with "prevent this in the firs… | |
Post #AtPV8mTnnKkv6hQ66K by [email protected] | |
0 likes, 0 repeats | |
@still that's correct. You need complete, static images of the root filesys… | |
Post #AtPX1719kcgEOcUZMm by [email protected] | |
0 likes, 0 repeats | |
@[email protected] @[email protected] AIDE is very good, definitel… | |
Post #AtPqeOJ3IvXiRGJ1lI by [email protected] | |
0 likes, 1 repeats | |
@axel @still Yeah, been using it in years, learnt it from SANS SEC506, an old t… | |
Post #AtQUULJdZ4KuQzLJuy by [email protected] | |
0 likes, 1 repeats | |
@still @axel For me ro-fs+dm/fs-verity is something a Enterprise Linux OS vend… | |
Post #AtQZzG6hToDv1mqwnw by [email protected] | |
0 likes, 1 repeats | |
@still @axel OS vendor support would solve supply, next you need to solve deman… | |
Post #AujEYSX4oXUeVpK9g0 by [email protected] | |
0 likes, 0 repeats | |
@skewray @still, Debian-like systems should have debsums installed. That's … |