[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Need a better Linux distro

On Sun, May 31, 2020 at 10:20:28AM -0400, Leam Hall via Ale wrote:
> > _every_ distro has vulnerabilities; that's why you must routinely apply
> > the various updates the distro supplies.  If the vulerability was due
> > to software or configuration not supplied/managed by the distro, then
> > the underlying distro probably wouldn't have mattered.
> I consider the installation of significant packages (libselinux-*,
> linux-firmware) from a third party repository, from some areas of the world,
> to totally compromise the system. While I would love to believe the best in
> everyone, and to be right about that, reality says that doesn't work.

Sure, that's sign of a breach.  But the same sort of thing is possible 
with any other distro that uses runtime-installable packages.  It tells 
you only that you were breached, not _how_ you'd been breached.

Meanwhile, this doesn't tell you what the initial attack vector had 
been.  Was it...

  ...due to a vulnerable software or configuration shipped by CentOS? 
  ...due to software fixed by upstream, but CentOS had not updated? 
  ...due to software fixed by/via CentOS, but you had not updated? 
  ...due to software you'd installed or configured on top of the distro? 
  ...due to brute-forced or comprosmised user credentials?
  ...due to your home router being compromised, allowing redirection to
     non-trusted update sites?

   (and many more possibilities...)

If you want to replace CentOS so you can learn/play with something 
different, that's wonderful, but it would be a really good idea to try 
and figure out when/how your system was compromised so you don't end 
right back up in the same situation with the new distro.  

Especially if they got in using compromised credentials.  (You did scrap 
all of your ssh keys, right?)

Assuming the attackers didn't wipe logs, yum maintains a transaction 
history that can be used to determine when those highly suspicious 
packages were installed.  Form there you can inspect the other system 
logs around that time.

 - Solomon
Solomon Peachy			      pizza at shaftnet dot org (email&xmpp)
                                      @pizza:shaftnet dot org   (matrix)
High Springs, FL                      speachy (freenode)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mail.ale.org/pipermail/ale/attachments/20200531/903cf2ea/attachment.sig>