I was curious as to what one can do on Linux to spot something behaving in ways it shouldn't, in regards to say, software compiled from outside official repositories (and perhaps even from within the repositories, as it seems unreasonable to assume maintainers read the source code for every package in big repos) in the case that you need/want to use something that isn't in them.
What I already know of:
Using opensnitch to be alerted when something tries to connect to the internet
Monitoring processes to see if anything is running/being autostarted when it shouldn't be
What else is there? I'm not asking for preemptive measures like "just don't install/run it" (this is obvious, but I'm curious) or "read all the source code yourself" (I'm not a programmer and don't intend to be) or protective measures ala sandboxing (to protect your home directory) or using Wayland (to mitigate keylogging).
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Malware detection practices on Linux?
Re: Malware detection practices on Linux?
Started reading through it - man, this thing hasn't been updated in a while. It's still using ext3 and sysvinit!
Re: Malware detection practices on Linux?
In addition to those, you might also consider:
- apparmor + apparmor profiler from apparmor-utils. Apparmor can act a bit like Opensnitch, but for resources by file path. Profiles in "complain" mode will show attempted accesses without restricting the program.
- tcpdump. Listen by port number. 53 is most revealing IMO
- mitmproxy ...except you already have Opensnitch running which does the same kind of thing in a much more robust way.
- File integrity monitoring, with anything; tiger, tripwire, integrit, samhain, etc will alert you to unexpected (and expected) changes to designated files.
Re: Malware detection practices on Linux?
Thanks for the suggestions, I'll look into these!Uptorn wrote: ↑2024-03-02 06:32In addition to those, you might also consider:
You could also just poke around in the application options as well, I suppose? Quite a few programs have phone home self-update checks despite being packaged through apt (maintainers don't know or don't care to disable these?). For example, pitivi.
- apparmor + apparmor profiler from apparmor-utils. Apparmor can act a bit like Opensnitch, but for resources by file path. Profiles in "complain" mode will show attempted accesses without restricting the program.
- tcpdump. Listen by port number. 53 is most revealing IMO
- mitmproxy ...except you already have Opensnitch running which does the same kind of thing in a much more robust way.
- File integrity monitoring, with anything; tiger, tripwire, integrit, samhain, etc will alert you to unexpected (and expected) changes to designated files.