Re: [PLUG] Simple Reliable method to determine what is running on a Linu

brent timothy saner via plug on 11 May 2021 17:11:08 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Simple Reliable method to determine what is running on a Linux Box

From: brent timothy saner via plug <plug@lists.phillylinux.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Simple Reliable method to determine what is running on a Linux Box
Date: Tue, 11 May 2021 20:11:03 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=UVfAlN8ObnBtEI2xGhxkqtkuyNtEoBjcCro3r23vXCs=; b=EB+kpEI8FJ1k5CES8zrqeHQPsjCNNjjJSmzfsEV27If0pJ4rinEZR+Sj7zYrc4W9EC PC7haeRwmV0YN1JbDCbRndVPrJ0AGfRfdgDJS7f3WjqwANEzUXChNJse7+QTLyQdvKdF 6a1zKI7UYG2RqNLNa66rNOjs8udbZ6lJKQ3jvhAk53amoRQk3B2yYG/U/fvM1jHxIfWb k8GLUKJ1cyVAwfOafb/whhRzJYOi7vWcU9VQIVAj/UBip1C3/ZtKZ4xcwXPF8S0jyRiZ IiukyqimlyYrDpODXJ0n1f7RTE7bvPkKMRikS7oIrFuWDPvR91g0pxhp9pu+KDVuLp2l DqLQ==
Reply-to: brent timothy saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1

On 5/11/21 11:56, Mark Bergman via plug wrote:
> Conceptually, there is no way to do what you want.
> 
> If someone has shell access, they can trivally obscure any program they are running. That's how malware operates, only in this case, the act of hiding a forbidden program is done
> intentionally by the owner of the PC. The simplest example is:
> 
> 	sudo cp /path/to/app/forbidden/during/exam /usr/bin/vi
> 	vi  

Just a point of argument, this wouldn't work in SELinux with contexts
applied.

BUUUT of course that requires you having root access to their machine,
them NOT having it[0], and running CentOS/RedHat.
(Similarly, you can only whitelist specific commands for sudo, but
again- you root, them not, etc.)

But it *is* enforceable under those conditions.

[0] "But they have physical access!"
Sure, but consider this: an iPXE-booted filesystem that requires remote
decryption via SSH. They can't change or bruteforce/etc. the root
password (because the / fs image is encrypted), they can't mount the
image (read-only, loads into RAM, and again- requires remote
decryption), and at that point the only circumvention options they have
available are custom rootkitted kernel/initramfs (which can be detected
by runtime analysis from within the encrypted fs image post-decryption)
or custom hardware-level attacks. The ROI on these for a ham license
test is extremely poor, so you're probably fine.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Simple Reliable method to determine what is running on a Linux Box
  - From: Art Clemons via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Simple Reliable method to determine what is running on a Linux Box
  - From: Mark Bergman via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] Simple Reliable method to determine what is running on a Linux Box
Next by Date: [PLUG] wifi frag attacks - nearly all wifi devices
Previous by thread: Re: [PLUG] Simple Reliable method to determine what is running on a Linux Box
Next by thread: [PLUG] wifi frag attacks - nearly all wifi devices
Index(es):
- Date
- Thread