Re: [CentOS] how to know when a system is compromised
Actually, a defense here is to umount the path then remount it as a part of running the Aide script. There may be an end-run to this as well- security is a never-ending battle. From: CentOS on behalf of Leroy Tennison Sent: Thursday, November 14, 2019 1:20 PM To: CentOS mailing list Subject: Re: [CentOS] how to know when a system is compromised Thanks - I'll keep that in mind... Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: le...@datavoiceint.com [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. From: CentOS on behalf of Chris Adams Sent: Thursday, November 14, 2019 10:57 AM To: centos@centos.org Subject: [EXTERNAL] Re: [CentOS] how to know when a system is compromised Once upon a time, Leroy Tennison said: > The executable could be placed on mounted read-only media That's not as secure as you think. Linux bind mounts can mount a file over another file (plus there's overlay filesystems), so it's possible to replace a binary even on a read-only device. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: le...@datavoiceint.com [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.datavoiceint.com&c=E,1,2WCvbSNJvmqaxEcIPqawoTvGCYMAZT8KKulxxbmjkGLa2NyJ5IO_EL51Q21yyoZLhvJczf6IGyKITC8kW5WKMrP4AYTtFLWcu5R1E3VMstTAfGRFhCRv0w,,&typo=1<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. If you prefer not to be contacted by Harris Operating Group please notify us<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsubscribe.harriscomputer.com%2f&c=E,1,bJ-3jUtOeY3WPfKHckYn-Ynl3cYkeINegX0H-YsrIDlgsWb1g8GzM6JCS3rmWWxVwOPgOf_AMxvsKjsW_iVVobRWFKpTzsvz4Bfhlu5s&typo=1>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to know when a system is compromised
On 14/11/2019 16:57, Valeri Galtsev wrote: On 2019-11-14 10:01, Christopher Wensink wrote: I have not, I'll look into that one, thanks! On 11/14/2019 9:48 AM, SternData wrote: Do you run rkhunter? On 11/14/19 9:40 AM, Christopher Wensink wrote: How do you know when a Linux system has been compromised? I'm sure you have followed the procedure how to install system and services so everything is secure. If, in a longer run no matter that you have system set up and configured securely and keep updating, if still the system gets compromised, then you need: 1. compromise warming 2. forensic investigation 3. recovery from compromise. I figure your is about 1. You probably will not get detailed description of actual setup people on this list have. Information about what the defense is is the first step in every attack. The best you may get are the advises of what to look for. One of the things you can set up is [host based, maybe] system integrity checking system (or intrusion detection system). That only makes sense on freshly installed system in known good state. There were a variety of these: tripwire (which went commercial), eics, ... If you search for linux intrusion detection system you should find what you need. I hope, this helps. Valeri I would add Trusted Path Execution (TPE) to any sysdamin's toolbox who cares about security. It's easy to install from elrepo.org (kmod-tpe). I wrote an overview (below) so won't repeat myself here, but I would strongly encourage people to try it out: http://lists.elrepo.org/pipermail/elrepo/2017-June/003620.html ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to know when a system is compromised
Thanks - I'll keep that in mind... From: CentOS on behalf of Chris Adams Sent: Thursday, November 14, 2019 10:57 AM To: centos@centos.org Subject: [EXTERNAL] Re: [CentOS] how to know when a system is compromised Once upon a time, Leroy Tennison said: > The executable could be placed on mounted read-only media That's not as secure as you think. Linux bind mounts can mount a file over another file (plus there's overlay filesystems), so it's possible to replace a binary even on a read-only device. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: le...@datavoiceint.com [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to know when a system is compromised
Once upon a time, Leroy Tennison said: > The executable could be placed on mounted read-only media That's not as secure as you think. Linux bind mounts can mount a file over another file (plus there's overlay filesystems), so it's possible to replace a binary even on a read-only device. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to know when a system is compromised
On 2019-11-14 10:01, Christopher Wensink wrote: I have not, I'll look into that one, thanks! On 11/14/2019 9:48 AM, SternData wrote: Do you run rkhunter? On 11/14/19 9:40 AM, Christopher Wensink wrote: How do you know when a Linux system has been compromised? I'm sure you have followed the procedure how to install system and services so everything is secure. If, in a longer run no matter that you have system set up and configured securely and keep updating, if still the system gets compromised, then you need: 1. compromise warming 2. forensic investigation 3. recovery from compromise. I figure your is about 1. You probably will not get detailed description of actual setup people on this list have. Information about what the defense is is the first step in every attack. The best you may get are the advises of what to look for. One of the things you can set up is [host based, maybe] system integrity checking system (or intrusion detection system). That only makes sense on freshly installed system in known good state. There were a variety of these: tripwire (which went commercial), eics, ... If you search for linux intrusion detection system you should find what you need. I hope, this helps. Valeri Every day I watch our systems with all the typical tools, ps, top, who, I watch firewall / IPS logs, I have logwatch setup and mailing daily summaries to me and I dive deeper into logs if something looks suspicious. What am I missing or not looking at that you security gurus are looking at? I subscribe to the centos and SANS newsletters, and I try to keep current on all technology with credible sources of articles online and with the Lynda library. What other sources of information do you use to stay current about the latest threats and technology updates? I appreciate the feedback. Chris ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to know when a system is compromised
I have not, I'll look into that one, thanks! On 11/14/2019 9:48 AM, SternData wrote: > Do you run rkhunter? > > On 11/14/19 9:40 AM, Christopher Wensink wrote: >> How do you know when a Linux system has been compromised? >> >> Every day I watch our systems with all the typical tools, ps, top, who, >> I watch firewall / IPS logs, I have logwatch setup and mailing daily >> summaries to me and I dive deeper into logs if something looks suspicious. >> >> What am I missing or not looking at that you security gurus are looking at? >> >> I subscribe to the centos and SANS newsletters, and I try to keep >> current on all technology with credible sources of articles online and >> with the Lynda library. >> >> What other sources of information do you use to stay current about the >> latest threats and technology updates? >> >> I appreciate the feedback. >> >> Chris > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to know when a system is compromised
Do you run rkhunter? On 11/14/19 9:40 AM, Christopher Wensink wrote: > How do you know when a Linux system has been compromised? > > Every day I watch our systems with all the typical tools, ps, top, who, > I watch firewall / IPS logs, I have logwatch setup and mailing daily > summaries to me and I dive deeper into logs if something looks suspicious. > > What am I missing or not looking at that you security gurus are looking at? > > I subscribe to the centos and SANS newsletters, and I try to keep > current on all technology with credible sources of articles online and > with the Lynda library. > > What other sources of information do you use to stay current about the > latest threats and technology updates? > > I appreciate the feedback. > > Chris ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos