Re: What is the best free HIDS for Debian

Am 16.05.22 um 11:38 schrieb Sylvain: Hello, Here's the result of debcheckroot on an entirely fresh install of debian, without any access to the internet from a browser or a mail client. I only: - ran "apt update" to test my internet connection - copied files on a USB stick Here's the

Re: What is the best free HIDS for Debian

Sylvain, I just wanna warn you that there is a hardware backdoor in x86 computers. Using that you won´t see any manipulation; like from a fresh install. See: https://www.elstel.org/uni/ DualSat master thesis, Epilogue, point 6 (as far as I remember, or last point). Also please don´t re-send

Re: What is the best free HIDS for Debian

Hello, Here's the result of debcheckroot on an entirely fresh install of debian, without any access to the internet from a browser or a mail client. I only: - ran "apt update" to test my internet connection - copied files on a USB stick Here's the fileserror.lis: ..._..M

Re: Fwd: Re: Fwd: What is the best free HIDS for Debian

Hello, Le 13/05/2022 à 20:30, Elmar Stellnberger a écrit : From what Sylvain has answered me, she didn´t do that. As said the mail header I got also did not show anything like that. I must precise that I'm a man. "Sylvain" is for boys and "Sylvie" for girls. :)

Re: Fwd: Re: Fwd: What is the best free HIDS for Debian

From what Sylvain has answered me, she didn´t do that. As said the mail header I got also did not show anything like that. Am 13.05.22 um 20:25 schrieb Adam D. Barratt: On Fri, 2022-05-13 at 20:01 +0200, estel...@elstel.org wrote: Michael Lazin had published a private email between me an

Re: Fwd: Re: Fwd: What is the best free HIDS for Debian

On Fri, 2022-05-13 at 20:01 +0200, estel...@elstel.org wrote: > Michael Lazin had published a private email between me an Sylvain > Sécherre. It means he is an NSA guy, since he had access to a > wiretapped > conversation. > > https://lists.debian.org/debian-security/2022/05/msg00018.html >

Re: Fwd: Re: Fwd: What is the best free HIDS for Debian

iretapped > > conversation. > > > > https://lists.debian.org/debian-security/2022/05/msg00018.html > > > > ---- Originalnachricht > > Betreff: Re: Fwd: What is the best free HIDS for Debian > > Datum: 12.05.2022 12:53 > > Von: Sylvain Séche

Re: Fwd: Re: Fwd: What is the best free HIDS for Debian

conversation. https://lists.debian.org/debian-security/2022/05/msg00018.html Originalnachricht Betreff: Re: Fwd: What is the best free HIDS for Debian Datum: 12.05.2022 12:53 Von: Sylvain Sécherre An: Elmar Stellnberger Dear Elmar, Don't worry about this, feel free to cite me

Fwd: Re: Fwd: What is the best free HIDS for Debian

. If he did and I have made emails public because of this which you didn´t want to have public, then my sincere excuse for what has happened here! Best Regards, Elmar Forwarded Message Subject: Re: What is the best free HIDS for Debian Date: Sun, 8 May 2022 16:51:46 +0200 From

Re: What is the best free HIDS for Debian

Dear Elmar, Thank you for your tips. But before reinstalling from scratch on my desktop, that is a lot of work, I will reinstall Debian on an old netbook which is on a desk and I don't use anymore. I'll run debchekroot on it and we will see... I must apology if my English is not very good.

Re: What is the best free HIDS for Debian

Dear Vitaly On 5/10/22 05:24, Vitaly Krasheninnikov wrote: Hi Elmar, Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system. In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us:

Re: What is the best free HIDS for Debian

On 10/05/2022 05:37, Vitaly Krasheninnikov wrote: Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system. In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and

Re: What is the best free HIDS for Debian

Hi Elmar, Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system. In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and "..._..M". According to the description on your

Re: What is the best free HIDS for Debian

Am 09.05.22 um 13:34 schrieb t...@vandradlabs.com.au: On 2022-05-09 18:04, Elmar Stellnberger wrote: Am 09.05.22 um 00:48 schrieb Tomasz Ciolek: 5. have we eliminated other causes of file mismatch - bad/incomplete updates, corrupted HDD, bad RAM, user error ?   If exactly such files

Re: What is the best free HIDS for Debian

On 2022-05-09 18:04, Elmar Stellnberger wrote: Am 09.05.22 um 00:48 schrieb Tomasz Ciolek: 5. have we eliminated other causes of file mismatch - bad/incomplete updates, corrupted HDD, bad RAM, user error ? If exactly such files have been changed where there is reason to manipulate them

Re: What is the best free HIDS for Debian

This supports the use of rkhunter and running it once on first install but you can manually find file changes systematically by becoming root and going to the top level directory and running “find -ctime 1”, “find -ctime -2” etc ad infinitum until you find all files that may have been compromised.

Re: What is the best free HIDS for Debian

Am 09.05.22 um 00:48 schrieb Tomasz Ciolek: 5. have we eliminated other causes of file mismatch - bad/incomplete updates, corrupted HDD, bad RAM, user error ? If exactly such files have been changed where there is reason to manipulate them for a rootkit then one shall assume unequivocally

Re: What is the best free HIDS for Debian

Rkhunter does find patterns of known rootkits but it also finds indicators like memory anomalies like I mentioned and it logs each file change from the install, this is why ideally you should install it in a fresh system. Thanks. Michael Lazin On Sun, May 8, 2022 at 3:45 PM wrote: > Am

Re: What is the best free HIDS for Debian

Am 08.05.2022 20:43, schrieb estel...@elstel.org: P.S.: A memory only rootkit would still need a hook to reinstall on a fresh boot. Yes I know it is an issue. Debcheckroot does f.i. not check you initrd. To fix this issue I would need to program an own piece of software like

Re: What is the best free HIDS for Debian

Am 08.05.2022 20:48, schrieb Michael Lazin: SELinux was made by the NSA but it open source, anyone can review the source code, this is part of what makes open source software reliable, it gets seen by many eyes, and even if you don’t review every line of code yourself you have a web of trust

Re: What is the best free HIDS for Debian

SELinux was made by the NSA but it open source, anyone can review the source code, this is part of what makes open source software reliable, it gets seen by many eyes, and even if you don’t review every line of code yourself you have a web of trust that someone has reviewed it, and it is

Re: What is the best free HIDS for Debian

Am 08.05.22 um 20:21 schrieb Michael Lazin:> I think if you have a root kit it is very unlikely to get rid of it without backing up and reimaging but you may be able to achieve it if you try first rkhunter and second apparmor which is similar to selinux which was developed by the nsa and made

Re: What is the best free HIDS for Debian

Hi Sylvain If you also care about the package selection you have installed you may do a 'dpkg -l' or copy /var/lib/dpkg/status. Possibly I will write something to clean the status file from packages that will be installed implicitly as dependency. Under Mageia you can use

Re: What is the best free HIDS for Debian

On 08.05.22 16:51, Sylvain Sécherre wrote: I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this. Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a safe place and then

Re: What is the best free HIDS for Debian

On 08.05.22 16:51, Sylvain Sécherre wrote: I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this. Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a safe place and then

Re: What is the best free HIDS for Debian

I think if you have a root kit it is very unlikely to get rid of it without backing up and reimaging but you may be able to achieve it if you try first rkhunter and second apparmor which is similar to selinux which was developed by the nsa and made accessible as a Red Hat package. Both solutions

Re: What is the best free HIDS for Debian

Dear Elmar, Thank you for your help. I really appreciate very much. I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this. Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a

Re: What is the best free HIDS for Debian

Dear Sylvain The next thing I would do is create a timeline. Mount the partition with noatime so that access times are preserved as they are on new file operations and then let find output access, modification and creation time of all files. Look on when these three executables have been

Re: What is the best free HIDS for Debian

Dear Sylvain Am 04.05.22 um 13:17 schrieb Sylvain: I've just tried debcheckroot too. It throws error. I'll try to fix them. Am 06.05.22 um 15:05 schrieb Sylvain Sécherre: > Here's the fileserror.lis: > ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755 > ..._..M /usr/bin/pkexec

Re: What is the best free HIDS for Debian

Thank you very much for your answers. I've tried to install Wazuh. It works fine but I can't install the agent and the manager on the same PC. Is it normal? However this soft seems to be very complex for my domestic needs... I've just tried debcheckroot too. It throws error. I'll try to fix

Re: What is the best free HIDS for Debian

On Tue, May 03, 2022 at 02:18:51PM +0200, Sylvain wrote: > I have a segfault and this line in syslog: kernel: [ 1771.894150] > aide[7032]: segfault at 1c ip 7f7472672050 sp > 7fffc95d5bf0 error 4 in libnss_systemd.so.2[7f7472671000+33000]. The > system is up to date from backports. The

Re: What is the best free HIDS for Debian

On 03.05.22 15:03, Jonathan Hutchins wrote: When testing for intrusion on a system that has been running with a live connection, it's necessary to test from an inviolate source, an ISO image that is known to be un-infected.  Obviously, this should not be created on an infected machine, which

Re: What is the best free HIDS for Debian

With that many errors from that many different programs it strongly suggests that there is a problem with your filesystem, possibly an existing infection. When testing for intrusion on a system that has been running with a live connection, it's necessary to test from an inviolate source, an

Re: What is the best free HIDS for Debian

Thank you for your responses! Tripwire: - - It throws a segfault error while scaning on one PC. No errors mentioned in log files. - on another machine tripwire worked fine for a long time but now I have this error while scaning: *** Fatal exception: basic_string::_M_create

Re: What is the best free HIDS for Debian

Hi Sylvain, Sylvain wrote: >So can you tell me if there is another free HostBase Intrusion >Detection System. I have used Tripwire and Aide in the past and now, since a few years, Samhain from source together with signify instead of gnupg for the signature

Re: What is the best free HIDS for Debian

On Mon, May 2, 2022 at 11:36 AM Sylvain wrote: > > Hello everyone ! > > I unsuccessfully tried Tripwire, Aide, Integrit and now OSSEC and OSSEC+. > > All these softs throw errors while running or compiling on my Debian 11.3... > > So can you tell me if there is another free HostBase Intrusion

Re: What is the best free HIDS for Debian

Did you try Suricata? https://suricata.io/download/ D Pro On Mon, May 2, 2022 at 2:36 PM Sylvain wrote: > Hello everyone ! > > I unsuccessfully tried Tripwire, Aide, Integrit and now OSSEC and OSSEC+. > > All these softs throw errors while running or compiling on my Debian > 11.3... > > So can

Re: What is the best free HIDS for Debian

Sylvain wrote: I unsuccessfully tried Tripwire, Aide, Integrit and now OSSEC and OSSEC+. All these softs throw errors while running or compiling on my Debian 11.3... So can you tell me if there is another free HostBase Intrusion Detection System. Have you checked Wazuh [0] out? [0]

Re: What is the best free HIDS for Debian

Hi Sylvain, On Mon, May 02, 2022 at 08:11:18PM +0200, Sylvain wrote: > I unsuccessfully tried Tripwire, Aide, Integrit and now OSSEC and OSSEC+. > > All these softs throw errors while running or compiling on my Debian 11.3... Can you please be more specific? What are the errors you get from AIDE

What is the best free HIDS for Debian

Hello everyone ! I unsuccessfully tried Tripwire, Aide, Integrit and now OSSEC and OSSEC+. All these softs throw errors while running or compiling on my Debian 11.3... So can you tell me if there is another free HostBase Intrusion Detection System. Sylvain