Malware detection practices on Linux?

[pizza-rat]

I was curious as to what one can do on Linux to spot something behaving in ways it shouldn't, in regards to say, software compiled from outside official repositories (and perhaps even from within the repositories, as it seems unreasonable to assume maintainers read the source code for every package in big repos) in the case that you need/want to use something that isn't in them.

What I already know of:
Using opensnitch to be alerted when something tries to connect to the internet
Monitoring processes to see if anything is running/being autostarted when it shouldn't be

What else is there? I'm not asking for preemptive measures like "just don't install/run it" (this is obvious, but I'm curious) or "read all the source code yourself" (I'm not a programmer and don't intend to be) or protective measures ala sandboxing (to protect your home directory) or using Wayland (to mitigate keylogging).

[ruwolf]

Have you read Securing Debian Manual?

[pizza-rat]

Have you read Securing Debian Manual?

Started reading through it - man, this thing hasn't been updated in a while. It's still using ext3 and sysvinit!

[Uptorn]

What I already know of:
Using opensnitch to be alerted when something tries to connect to the internet
Monitoring processes to see if anything is running/being autostarted when it shouldn't be

In addition to those, you might also consider:

• apparmor + apparmor profiler from apparmor-utils. Apparmor can act a bit like Opensnitch, but for resources by file path. Profiles in "complain" mode will show attempted accesses without restricting the program.
• tcpdump. Listen by port number. 53 is most revealing IMO
• mitmproxy ...except you already have Opensnitch running which does the same kind of thing in a much more robust way.
• File integrity monitoring, with anything; tiger, tripwire, integrit, samhain, etc will alert you to unexpected (and expected) changes to designated files.

You could also just poke around in the application options as well, I suppose? Quite a few programs have phone home self-update checks despite being packaged through apt (maintainers don't know or don't care to disable these?). For example, pitivi.

[pizza-rat]

What I already know of:
Using opensnitch to be alerted when something tries to connect to the internet
Monitoring processes to see if anything is running/being autostarted when it shouldn't be

In addition to those, you might also consider:

• apparmor + apparmor profiler from apparmor-utils. Apparmor can act a bit like Opensnitch, but for resources by file path. Profiles in "complain" mode will show attempted accesses without restricting the program.
• tcpdump. Listen by port number. 53 is most revealing IMO
• mitmproxy ...except you already have Opensnitch running which does the same kind of thing in a much more robust way.
• File integrity monitoring, with anything; tiger, tripwire, integrit, samhain, etc will alert you to unexpected (and expected) changes to designated files.

You could also just poke around in the application options as well, I suppose? Quite a few programs have phone home self-update checks despite being packaged through apt (maintainers don't know or don't care to disable these?). For example, pitivi.

Thanks for the suggestions, I'll look into these!