Getting Malware and Viruses by using appliances

Hi.

Does anybody tell me what actions are being taken to avoid malware, rootkits and/or viruses inside of appliances, shared on susegallery.com?

I did an article for a online-linux-magazine, concerning susestudio, and one of these questions came. How can I avoid suspicious software, using an unknown appliance?

Is there any 'appliance-check' from Novell before the release on suesgallery.com?

On Wednesday 04 August 2010 08:47:53 transwarp wrote:
>
> Does anybody tell me what actions are being taken to avoid malware,
> rootkits and/or viruses inside of appliances, shared on susegallery.com?

First of all, if we get to know about malicious appliances we take them down
of course. This is a given.

On top of that the trustworthiness of an appliance relies on the
trustworthiness of the packages which are put into the appliance. As Studio
mainly just assembles existing components from well-known repositories, it
basically inherits what is done for these repositories to avoid malicious
software. The most effective component of this probably is peer-review, as
many people are looking at the various parts and will notice, if something
goes wrong there.

> I did an article for a online-linux-magazine, concerning susestudio, and
> one of these questions came. How can I avoid suspicious software, using an
> unknown appliance?

If you want to make sure, you can look at what's in the appliance. You can
check everything, which goes in, to make sure that it's all good.

> Is there any 'appliance-check' from Novell before the release on
> suesgallery.com?

For the SUSE Linux Enterprise based appliances, we run a supportability
analysis as part of every build. This checks for integrity and sources of
packages.

--
Cornelius Schumacher <[hidden email]>
_______________________________________________
studio-users mailing list
[hidden email]
http://listx.novell.com/mailman/listinfo/studio-users

On Wed, Aug 04, 2010 at 11:29:19AM +0200, Cornelius Schumacher wrote:
> First of all, if we get to know about malicious appliances we take them down
> of course. This is a given.

Obviously.
 
> On top of that the trustworthiness of an appliance relies on the
> trustworthiness of the packages which are put into the appliance.

And perhaps for Studio that is where the "problem" lies as I have control
over what is installed.

> As Studio
> mainly just assembles existing components from well-known repositories, it
> basically inherits what is done for these repositories to avoid malicious
> software. The most effective component of this probably is peer-review, as
> many people are looking at the various parts and will notice, if something
> goes wrong there.

As I can install my own RPMs, scripts and do any chown and chmod, it could
make the ISO that is made unsafe. Studio in itself is not unsafe, but the
product it builds might be.

This can happen accidentily or on purpose.
If you want to build something like http://www.damnvulnerablelinux.org/ it
is (partly?) possible.

If this would happen often, people might percieve Studio as unsafe.

houghi
--
This is written under the inluence of the following:
>   Artist : James Brown
>     Song : Good Good Lovin'
>    Album : Star Time
_______________________________________________
studio-users mailing list
[hidden email]
http://listx.novell.com/mailman/listinfo/studio-users

On Wednesday 04 August 2010 13:30:32 houghi wrote:
>
> As I can install my own RPMs, scripts and do any chown and chmod, it could
> make the ISO that is made unsafe. Studio in itself is not unsafe, but the
> product it builds might be.

Right. We don't want to restrict users in installing own RPMs, etc. as this
would limit the usefulness. But maybe we can improve showing what's actually
in the appliances and what creators did to create them. It's all already
accessible, so if you want to make sure that an appliance is safe, you can
already do that by looking into it, but there certainly are ways to make this
more obvious.

What kind of indicators would you find useful? If custom packages were added,
if specific overlay files were added, if external repositories were used,
something like that?

> If this would happen often, people might percieve Studio as unsafe.

That's of course something we want to avoid.

--
Cornelius Schumacher <[hidden email]>
_______________________________________________
studio-users mailing list
[hidden email]
http://listx.novell.com/mailman/listinfo/studio-users

On Wed, Aug 04, 2010 at 01:47:23PM +0200, Cornelius Schumacher wrote:

For the RPMs you could go into YaST and look there where they came from.
However I could imagine that a malicious person could falsify the vendor.

So some sort of summery would be nice. e.g (And I am now thinking aloud)

List of RPMs with their origin, be it the repo or uploaded. If Uploaded,
only the fact that it has been uploaded. I would not say from where, as
that can be temporary files and if people don't find that file, it might
lead people to believe there is an issue, even if that is not the case.

All the info from the "Configuration" tab
All the info from the "Files" tab with the archive info expanded

There might however be an issue (absolutely unsure, so please confirm or
deny) if you want to do somthing in a script at the end of a build that
contains a password or other information that should be kept secret.
I have no idea if that might be the case and/or if that might be an issue.

How would you place this informaton on the medium? As it is a file, I
could remove it or edit it and give a false sence of security. So perhaps
a gpg signature of the content, so it can always be verified against an
external Studio gpg signature. That would mean a way for people who do not
have an account to have access to the public key  via the website.

houghi
--
This is written under the inluence of the following:
>   Artist : Nat King Cole
>     Song : Maria Elena
>    Album : Cole Espanol And More Vol.1
_______________________________________________
studio-users mailing list
[hidden email]
http://listx.novell.com/mailman/listinfo/studio-users

On Wednesday 04 August 2010 15:53:14 houghi wrote:
>
> There might however be an issue (absolutely unsure, so please confirm or
> deny) if you want to do somthing in a script at the end of a build that
> contains a password or other information that should be kept secret.
> I have no idea if that might be the case and/or if that might be an issue.

With publishing on Gallery, the configuration of the appliance becomes public
as well, so you shouldn't publish it, if you use secrets in build script or
something like that. So this is not an issue here.

> How would you place this informaton on the medium? As it is a file, I
> could remove it or edit it and give a false sence of security. So perhaps
> a gpg signature of the content, so it can always be verified against an
> external Studio gpg signature. That would mean a way for people who do not
> have an account to have access to the public key  via the website.

That's a great idea.

Thanks for the good input.

--
Cornelius Schumacher <[hidden email]>
_______________________________________________
studio-users mailing list
[hidden email]
http://listx.novell.com/mailman/listinfo/studio-users

This did dawn on me, seeing the volume of appliance images on the site.

What I've wished for is some some modicum of trustworthiness in an appliance lineage.

For instance, if I prevent my appliance from being cloned then I can avert a blackhatter from cloning it & keeping it posted in the "New" list with a nearly identical name.

On the other hand, if my appliance is clonable then other users can trace the lineage of the RPM's (people can see the packages & file lineage online).

Perhaps the "share & build" community in SuseStudio can be kept trustworthy via some anti-malware scan agent running on the SuSE Studio website.

I myself can see I'm compounding the question b/c I am importing & compiling sources (online no less!) not available in SuSE's repo's ( Oracle's BerkeleyDB-SQLite hybrid, SQLite mgm't tools, etc....).

Thanks!

CONTENTS DELETED

 On 08/20/2010 11:37 AM, tomcatjosh wrote: I strongly disagree.  Although I agree with providing as much freedom as
possible to create your own images, if you plan to share them in the
SUSE Gallery there is an expectation that the build is not malicious. To
that end we are working on adding trust metrics, and security measures,
possibly including virus scanning, for appliances shared in Gallery.

- James Mason
_______________________________________________
studio-users mailing list
[hidden email]
http://listx.novell.com/mailman/listinfo/studio-users

CONTENTS DELETED

I see you put a great deal of thought into it. --- On Fri, 8/20/10, tomcatjosh [via SUSE Studio Users] <[hidden email]> wrote: From: tomcatjosh [via SUSE Studio Users] <[hidden email]> Subject: Re: Getting Malware and Viruses by using appliances To: "leebert" <[hidden email]> Date: Friday, August 20, 2010, 2:37 PM Hey- People have a right to put whatever they want to in their suse appliances. Blocking, or putting in a virus scanner would be hurtful towards the idea of a hugely customizable Linux Studio. If you don't want to risk a virus, it is simple: Don't download a Linux distro from SuSE Studio! Just get Ubuntu. or a regular SUSE iso from opensuse.org  Me-OS- My On-Going Project To Create an easy to use Linux Distro. View message @ http://suse-studio-users.1598176.n2.nabble.com/Getting-Malware-and-Viruses-by-using-appliances-tp5371406p5445644.html To unsubscribe from Re: Getting Malware and Viruses by using appliances, click here.

James Mason wrote

>   http://me-os.herobo.com Me-OS- My On-Going Project To Create an easy to
> use Linux Distro.  
I strongly disagree.  Although I agree with providing as much freedom as
possible to create your own images, if you plan to share them in the
SUSE Gallery there is an expectation that the build is not malicious. To
that end we are working on adding trust metrics, and security measures,
possibly including virus scanning, for appliances shared in Gallery.

- James Mason

I already sent this to the OpenSuSE Studio team, I'll assume they took care of it... In my "KDE3 11.3 backstep" build I actually include clam antivirus.

Although it may have been a false positive, during a testdrive last week I got an alert on this file:

/usr/share/doc/packages/libieee1284/interface.pdf: Suspect.PDF.ObfuscatedJS-1 FOUND

==============================
----------- SCAN SUMMARY -----------
Known viruses: 774883
Engine version: 0.96.1
Scanned directories: 7685
Scanned files: 69185
Infected files: 1
Data scanned: 1825.76 MB
Data read: 2418.43 MB (ratio 0.75:1)
Time: 455.134 sec (7 m 35 s)
==============================

It may have been a case of the AV database files being out of date, I don't know, I haven't gone back to check.

A Security Summary was recently added to appliances in SUSE Gallery.  You can read about it on the blog.  The Security Summary provides a quick visual summary as to the 'trustability' of the appliance, as well as specific exceptions.  This is a solid first step towards providing a secure, safe environment in which to share; except more in-depth steps in the future.