1
00:00:00,000 --> 00:00:11,040
This video is about malware detection and vulnerability scanning.

2
00:00:11,040 --> 00:00:16,719
So you need to understand why Linux is not sensitive to virus.

3
00:00:16,719 --> 00:00:22,219
Well the design of Linux operating system makes it less sensitive to virus.

4
00:00:22,219 --> 00:00:27,280
And that is because, first, Linux has a strict separation between users and root.

5
00:00:27,280 --> 00:00:31,080
And processes run with limited privileges by default.

6
00:00:31,080 --> 00:00:36,560
So the access of a potential virus to the operating system by this alone is dramatically

7
00:00:36,560 --> 00:00:37,560
limited.

8
00:00:37,560 --> 00:00:42,799
What also helps is that files have strict ownership and permissions.

9
00:00:42,799 --> 00:00:45,619
And not everything is allowed on a file.

10
00:00:45,619 --> 00:00:51,639
So for a virus it's almost impossible to modify files on the operating system.

11
00:00:51,639 --> 00:00:54,919
And also the source code behind Linux is open.

12
00:00:54,919 --> 00:00:58,200
It's what we call the many eyeballs effect.

13
00:00:58,200 --> 00:01:02,439
Everybody can read the source code and everybody can detect if something is fundamentally wrong

14
00:01:02,439 --> 00:01:03,959
in the source code.

15
00:01:03,959 --> 00:01:09,680
So secretly sneaking a virus into source code into a program that you run on a computer

16
00:01:09,680 --> 00:01:13,040
is just not done on Linux.

17
00:01:13,040 --> 00:01:17,760
What also helps is that packages are installed from trusted repositories.

18
00:01:17,760 --> 00:01:20,440
So your distribution comes with a repository.

19
00:01:20,440 --> 00:01:23,339
The repository is signed with GPG keys.

20
00:01:23,339 --> 00:01:29,180
So if anyone is pretending to be your repository, normally it doesn't get through the GPG key

21
00:01:29,180 --> 00:01:30,500
check.

22
00:01:30,500 --> 00:01:34,900
And all of that makes Linux a reliable platform.

23
00:01:34,900 --> 00:01:37,459
Now zero-day exploits may exist.

24
00:01:37,459 --> 00:01:41,400
And they make applications running on Linux potentially vulnerable.

25
00:01:41,400 --> 00:01:46,540
And that is why every now and then you should be checking if anything is wrong.

26
00:01:46,540 --> 00:01:49,660
Because on Linux you can have what we call a rootkit.

27
00:01:49,660 --> 00:01:58,419
So rootkits are providing application backdoors that allows the root user to access secretly.

28
00:01:58,419 --> 00:02:05,660
And in order to scan for rootkits, there are commonly used programs like RKHunter and CheckRootkit.

29
00:02:05,660 --> 00:02:11,139
Alternatively, you can use aid for unexpected file changes.

30
00:02:11,139 --> 00:02:13,300
So aid is a commonly used utility.

31
00:02:13,300 --> 00:02:18,259
It works with a database that has been generated with aid minus minus init to summarize the

32
00:02:18,259 --> 00:02:20,300
current state of files.

33
00:02:20,300 --> 00:02:25,460
And after generating, aid creates a tar.gz.new file.

34
00:02:25,460 --> 00:02:30,940
And this file must be moved to a plain tar.gz file to be used as the aid file.

35
00:02:30,940 --> 00:02:35,279
This will be your blueprint and this will be what you are going to check upon.

36
00:02:35,279 --> 00:02:39,820
And to detect if files have changed, the database that aid has created needs to be compared

37
00:02:39,820 --> 00:02:45,580
to the current state of the file system as reported by aid minus minus check.

38
00:02:45,580 --> 00:02:50,580
The aid.conf is a configuration file that is used to specify what exactly to look for

39
00:02:50,580 --> 00:02:53,940
and it can be used to exclude files as well.

40
00:02:53,940 --> 00:02:56,059
And aid will find changes.

41
00:02:56,059 --> 00:02:59,059
It won't find what has triggered the change though.

42
00:02:59,059 --> 00:03:04,419
If you also want to figure out what has triggered the change, then you should create an audit

43
00:03:04,419 --> 00:03:07,979
watch rule as discussed elsewhere in this course.

44
00:03:07,979 --> 00:03:09,720
Let's have a look at aid.

45
00:03:09,720 --> 00:03:18,240
So let's do a sudo dnf install minus y aid.

46
00:03:18,240 --> 00:03:20,880
As on most systems, it's not installed by default.

47
00:03:20,880 --> 00:03:23,559
As you can see, it's not a big install.

48
00:03:23,559 --> 00:03:28,460
Then sudo aid minus minus init.

49
00:03:28,460 --> 00:03:31,039
And that's going to scan your file system.

50
00:03:31,039 --> 00:03:35,039
Depending on the size of your file system, it might take a little bit.

51
00:03:35,039 --> 00:03:36,039
So what do we see?

52
00:03:36,039 --> 00:03:44,000
We see that the new aid database has been written to varlib 8.8.db.new.gz.

53
00:03:44,000 --> 00:03:47,839
And that is what you are going to use to compare it against.

54
00:03:47,839 --> 00:04:13,679
So let me sudo mv varlib 8.8.db.new.gz to varlib 8.8.db.gz.

55
00:04:13,679 --> 00:04:14,839
Good.

56
00:04:14,839 --> 00:04:17,079
Now I can use my aid check.

57
00:04:17,079 --> 00:04:22,720
Let's not forget to do that with sudo aid minus minus check.

58
00:04:22,720 --> 00:04:23,880
Small typo.

59
00:04:23,880 --> 00:04:27,079
And that is going to check if anything has changed on the file system.

60
00:04:27,079 --> 00:04:28,880
Now obviously, I just run it.

61
00:04:28,880 --> 00:04:33,799
So I might as well stop it and investigate what is going on.

62
00:04:33,799 --> 00:04:42,000
sudo vim on etc aid.conf is the configuration file that is used in the background.

63
00:04:42,000 --> 00:04:45,119
And this is telling you what exactly is going to happen.

64
00:04:45,119 --> 00:04:47,760
It includes the default rules.

65
00:04:47,760 --> 00:04:54,839
And here we can see on the lower part of the screen what the default rules are.

66
00:04:54,839 --> 00:04:55,880
So you know what?

67
00:04:55,880 --> 00:05:00,000
I'm going to do something that should be detected.

68
00:05:00,000 --> 00:05:07,200
I'm going to use sudo chmod 777 on etc motd.

69
00:05:07,200 --> 00:05:09,760
That's a file that really nobody cares about.

70
00:05:09,760 --> 00:05:15,320
But now we can check if aid is going to find out that the change has occurred.

71
00:05:15,320 --> 00:05:17,720
So here you can see the report.

72
00:05:17,720 --> 00:05:20,519
And in the report, we have a changed entry.

73
00:05:20,519 --> 00:05:24,040
And in the changed entry, we see exactly what has happened.

74
00:05:24,040 --> 00:05:27,920
So this on the left side is what it has found before.

75
00:05:27,920 --> 00:05:31,119
And on the right side is the changed file.

76
00:05:31,119 --> 00:05:36,079
And that allows you to use aid as a very convenient utility

77
00:05:36,079 --> 00:05:38,799
to detect for unexpected file changes.

78
00:05:38,799 --> 00:05:42,000
It's recommended to use it to ensure the security of your system.