September 15, 2022

Auditing GNU/Linux with OSQuery

Intro Many incident responders struggle with Linux as exposure is limited, considering that corporate environments rarely have user interaction within a Linux desktop environment (outside of the occasional sysadmin). This prevents analysts from “knowing normal”, thus the processes and activity quickly become an enigma. Attacks in these environments rarely have a delivery mechanism tailored towards users, such as maldocs contained in emails or staged on compromised/malicious sites. Most attacks inevitably occur from misconfigured or unpatched services that interface with the public web, which commonly are vulnerabilities within components of web applications or respective plugins.

August 1, 2022

Plague Kernel

Intro Most security researchers gloss over the monolithic kernel that continually supports more and more architecture and rarely if ever purges support for the legacy. It’s unfortunate, however “it just works” is the argument to be made. In the kernel space, usability trumps security. Linux security projects in particular should place more of an emphasis on the kernel, one that borders fixation. Kernel security has been largely ignored. It contains classes of vulnerabilities, and the solutions are quick-fix patches that don’t address the trend at large.

July 28, 2022

PlagueOS: Operating System of the Underground

Intro There has been a lot of hype around the latest player in the operating system market. PlagueOS is designed to be a security-centric distribution built on Void Linux. Currently, the market with secure computing is limited to Whonix, TAILS, Qubes, and now the addition of Plague. Background According to the main developer (arcanedev), Void Linux was selected primarily due to the MUSL codebase and use of runit service manager by default.