Locking Down Linux - Using Ubuntu As Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) Null Byte - WonderHowTo

26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring)
toring) « Null Byte…
CYBER WEAPONS LAB  
NULL BYTE
LO C K I N G D OWN L I N U X
Using Ubuntu as Your Primary OS, Part 4

(Auditing, Antivirus & Monitoring)
BY TOKYONEON  07/03/2018 8:30 PM  12/03/2020 6:13 PM CYBER WEAPONS LAB KALI ALTERNATIVES
Y ou've protected your Ubuntu system from physical attacks, annoyed network hackers, and
sandboxed potentially malicious applications. Great! Now, the next logical steps to locking
down your OS include thoroughly auditing Ubuntu for weak points, using antivirus software
that respects your privacy, and monitoring system logs like a boss.
This is the final part of our mini-series on strengthening your primary Ubuntu system. You'll
learn about hardening weak points in the OS using a well-respected, open-source auditing tool.
Besides that, we'll check out ClamAV, an antivirus software that won't send your sensitive files
to for-profit company servers. You'll also see how to allow or deny web access for all the apps
on your computer. And when I say "monitoring system logs like a boss," I'm talking about the
/var/log/ directory.
If you missed the beginning of this article series, you should check out the first part to learn
more about my motivations for starting this four-part guide.
Part 3: Using Ubuntu as Your Primary OS (App Hardening & Sandboxing)

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-moni… 1/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Lock Down Your Ubuntu System to Protect It from Being Hacked [Tutorial]
Step 1
Audit Your System with Lynis

Lynis, created by CISOfy, is a security auditing tool for Linux and UNIX-based operating
systems that assists penetration testers with system hardening and information security
compliance standards such as ISO27001, HIPAA, and PCI DSS. While Lynis is designed for
companies and organizations, it can be used to audit normal Ubuntu installations with a high
degree of definition and expertise.
Downloading Lynis
Lynis is available on GitHub and can be downloaded using the sudo wget
'github.com/CISOfy/lynis/archive/master.zip' command, as seen here:
~$ sudo wget 'https://github.com/CISOfy/lynis/archive/master.zip'
---- https://github.com/CISOfy/lynis/archive/master.zip
Resolving github.com (github.com)... 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/CISOfy/lynis/zip/master [following]

---- https://codeload.github.com/CISOfy/lynis/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.253.120
Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... co
HTTP request sent, awaiting response... 200 OK
Length: 345734 (338K) [application/zip]
Saving to: ‘master.zip’
master.zip 100%[========================================
(237 KB/s) - ‘master.zip’ saved [345734/345734]
I'm using sudo for the following Lynis commands because the tool and its directories require
privileged access to certain areas of the Ubuntu operating system to properly audit everything.
Normally, it's unsafe to store and use binaries and applications in this way, but we'll be
deleting Lynis immediately after using it.
Decompressing the Download
With the Lynis ZIP downloaded, use sudo unzip master.zip to decompress the archive.
~$ sudo unzip master.zip
Archive: master.zip
6e0ac57b68bfd39dd7d464e93ec85203ee683313
creating: lynis-master/
extracting: lynis-master/.gitignore
inflating: lynis-master/.travis.yml
inflating: lynis-master/CHANGELOG.md
inflating: lynis-master/CODE_OF_CONDUCT.md
inflating: lynis-master/CONTRIBUTING.md
inflating: lynis-master/CONTRIBUTORS.md
inflating: lynis-master/FAQ
inflating: lynis-master/INSTALL
inflating: lynis-master/LICENSE
inflating: lynis-master/README
inflating: lynis-master/README.md
creating: lynis-master/db/
inflating: lynis-master/db/fileperms.db
inflating: lynis-master/db/hints.db
extracting: lynis-master/db/integrity.db
creating: lynis-master/db/languages/
inflating: lynis-master/db/languages/az
linking: lynis-master/db/languages/br -> pt
inflating: lynis-master/db/languages/cn
inflating: lynis-master/db/languages/de
inflating: lynis-master/db/languages/en
linking: lynis-master/db/languages/en-GB -> en
linking: lynis-master/db/languages/en-US -> en
inflating: lynis-master/db/languages/es
inflating: lynis-master/db/languages/fi
inflating: lynis-master/db/languages/fr
inflating: lynis-master/db/languages/gr
inflating: lynis-master/db/languages/he
inflating: lynis-master/db/languages/hu
inflating: lynis-master/db/languages/it
inflating: lynis-master/db/languages/ja
inflating: lynis-master/db/languages/nb-NO
inflating: lynis-master/db/languages/nl
linking: lynis-master/db/languages/nl-BE -> nl
linking: lynis-master/db/languages/nl-NL -> nl
inflating: lynis-master/db/languages/pl
inflating: lynis-master/db/languages/pt
inflating: lynis-master/db/languages/ru
inflating: lynis-master/db/languages/se
inflating: lynis-master/db/languages/tr
inflating: lynis-master/db/malware-susp.db
inflating: lynis-master/db/malware.db
extracting: lynis-master/db/sbl.db
inflating: lynis-master/db/tests.db
inflating: lynis-master/default.prf
inflating: lynis-master/developer.prf
creating: lynis-master/extras/
inflating: lynis-master/extras/README
creating: lynis-master/extras/bash_completion.d/
inflating: lynis-master/extras/bash_completion.d/lynis
inflating: lynis-master/extras/build-lynis.sh
inflating: lynis-master/extras/check-lynis.sh
inflating: lynis-master/extras/files.dat
inflating: lynis-master/extras/lynis.spec
creating: lynis-master/extras/openbsd/
inflating: lynis-master/extras/openbsd/+CONTENTS
creating: lynis-master/extras/systemd/
inflating: lynis-master/extras/systemd/lynis.service
inflating: lynis-master/extras/systemd/lynis.timer
creating: lynis-master/extras/travis-ci/
extracting: lynis-master/extras/travis-ci/before_script.sh
creating: lynis-master/include/
inflating: lynis-master/include/binaries
inflating: lynis-master/include/consts
inflating: lynis-master/include/data_upload
inflating: lynis-master/include/functions
inflating: lynis-master/include/helper_audit_dockerfile
inflating: lynis-master/include/helper_configure
inflating: lynis-master/include/helper_show
inflating: lynis-master/include/helper_system_remote_scan
inflating: lynis-master/include/helper_update
inflating: lynis-master/include/osdetection
inflating: lynis-master/include/parameters
inflating: lynis-master/include/profiles
inflating: lynis-master/include/report
inflating: lynis-master/include/tests_accounting
inflating: lynis-master/include/tests_authentication
inflating: lynis-master/include/tests_banners
inflating: lynis-master/include/tests_boot_services
inflating: lynis-master/include/tests_containers
inflating: lynis-master/include/tests_crypto
inflating: lynis-master/include/tests_custom.template
inflating: lynis-master/include/tests_databases
inflating: lynis-master/include/tests_dns
inflating: lynis-master/include/tests_file_integrity
inflating: lynis-master/include/tests_file_permissions
inflating: lynis-master/include/tests_filesystems
inflating: lynis-master/include/tests_firewalls
inflating: lynis-master/include/tests_hardening
inflating: lynis-master/include/tests_homedirs
inflating: lynis-master/include/tests_insecure_services
inflating: lynis-master/include/tests_kernel
inflating: lynis-master/include/tests_kernel_hardening
inflating: lynis-master/include/tests_ldap
inflating: lynis-master/include/tests_logging
inflating: lynis-master/include/tests_mac_frameworks
inflating: lynis-master/include/tests_mail_messaging
inflating: lynis-master/include/tests_malware
inflating: lynis-master/include/tests_memory_processes
inflating: lynis-master/include/tests_nameservices
inflating: lynis-master/include/tests_networking
inflating: lynis-master/include/tests_php
inflating: lynis-master/include/tests_ports_packages
inflating: lynis-master/include/tests_printers_spools
inflating: lynis-master/include/tests_scheduling
inflating: lynis-master/include/tests_shells
inflating: lynis-master/include/tests_snmp
inflating: lynis-master/include/tests_squid
inflating: lynis-master/include/tests_ssh
inflating: lynis-master/include/tests_storage
inflating: lynis-master/include/tests_storage_nfs
inflating: lynis-master/include/tests_system_integrity
inflating: lynis-master/include/tests_time
inflating: lynis-master/include/tests_tooling
inflating: lynis-master/include/tests_usb
inflating: lynis-master/include/tests_virtualization
inflating: lynis-master/include/tests_webservers
inflating: lynis-master/include/tool_tips
inflating: lynis-master/lynis
inflating: lynis-master/lynis.8
creating: lynis-master/plugins/
inflating: lynis-master/plugins/README
inflating: lynis-master/plugins/custom_plugin.template
inflating: lynis-master/plugins/plugin_pam_phase1
inflating: lynis-master/plugins/plugin_systemd_phase1
finishing deferred symbolic links:
lynis-master/db/languages/br -> pt
lynis-master/db/languages/en-GB -> en
lynis-master/db/languages/en-US -> en
lynis-master/db/languages/nl-BE -> nl
lynis-master/db/languages/nl-NL -> nl
Then, change (cd) into the newly created lynis-master/ directory:
~$ cd lynis-master
The Lynis binary should already have permissions to execute on your machine, but in case it
doesn't, use the sudo chmod +x lynis command.
~/lynis-master$ sudo chmod +x lynis
Running Lynis
To test Lynis and view the available options, use the help (-h) command, i.e., sudo ./lynis -h.
~/lynis-master$ sudo ./lynis -h
[ Lynis 2.6.5 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2018, CISOfy - https://cisofy.com/lynis/

Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program

------------------------------------
Usage: lynis command [options]
Command:
audit
audit system : Perform local security scan
audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile
show
show : Show all commands
show version : Show Lynis version
show help : Show help
update
update info : Show update details
Options:
--no-log : Don't create a log file

--pentest : Non-privileged scan (useful for pentest)
--profile <profile> : Scan the system with the given profile f
--quick (-Q) : Quick mode, don't wait for user input
Layout options
--no-colors : Don't use colors in output
--quiet (-q) : No output
--reverse-colors : Optimize color display for light backgro
Misc options
--debug : Debug logging to screen
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
Enterprise options
--plugindir <path> : Define path of available plugins
--upload : Upload data to central node
More options available. Run './lynis show options', or use the man page.
To begin auditing the operating system, use the audit system arguments, such as sudo ./lynis
audit system.
~/lynis-master$ sudo ./lynis audit system
[ Lynis 2.6.5 ]
[+] Initializing program

------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 2.6.5
Operating system: Linux
Operating system name: Ubuntu Linux
Operating system version: 18.04
Kernel version: 4.15.0
Hardware platform: x86_64
Hostname: nullbyte
---------------------------------------------------
Profiles: /home/tokyoneon/Desktop/lynis-master/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: ./plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ UNKNOWN ]
================================================================================
-[ Lynis 2.6.5 Results ]-
Great, no warnings
Suggestions (25):
----------------------------
* Set a password on GRUB bootloader to prevent altering boot configuration (e.
https://cisofy.com/controls/BOOT-5122/
* Install a PAM module for password strength testing like pam_cracklib or pam_
https://cisofy.com/controls/AUTH-9262/
* Configure minimum password age in /etc/login.defs [AUTH-9286]

* Configure maximum password age in /etc/login.defs [AUTH-9286]

* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]

* To decrease the impact of a full /home file system, place /home on a separat
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated
* To decrease the impact of a full /var file system, place /var on a separated
* Disable drivers like USB storage when not used, to prevent unauthorized stora
https://cisofy.com/controls/STRG-1840/
* Check DNS configuration for the dns domain name [NAME-4028]

https://cisofy.com/controls/NAME-4028/
* Install debsums utility for the verification of packages with known good data
https://cisofy.com/controls/PKGS-7370/
* Install package apt-show-versions for patch management purposes [PKGS-7394]

https://cisofy.com/controls/PKGS-7394/
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]

https://cisofy.com/controls/NETW-3032/
* Check iptables rules to see which rules are currently not used [FIRE-4513]
https://cisofy.com/controls/FIRE-4513/
* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/controls/LOGG-2190/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]

https://cisofy.com/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]

https://cisofy.com/controls/BANN-7130/
* Enable process accounting [ACCT-9622]

https://cisofy.com/controls/ACCT-9622/
* Enable sysstat to collect accounting (no results) [ACCT-9626]

* Enable auditd to collect audit information [ACCT-9628]

* Install a file integrity tool to monitor changes to critical and sensitive f

https://cisofy.com/controls/FINT-4350/
* Determine if automation tools are present for system management [TOOL-5002]

https://cisofy.com/controls/TOOL-5002/
* One or more sysctl values differ from the scan profile and could be tweaked
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysct
https://cisofy.com/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222]

https://cisofy.com/controls/HRDN-7222/
* Harden the system by installing at least one malware scanner, to perform per
- Solution : Install a tool like rkhunter, chkrootkit, OSSEC
https://cisofy.com/controls/HRDN-7230/
================================================================================
Lynis security scan details:
Hardening index : 67 [############# ]

Tests performed : 223
Plugins enabled : 2
Components:
- Firewall [V]
- Malware scanner [X]
Lynis Modules:
- Compliance Status [?]
- Security Audit [V]
- Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
After performing over 200 tests, the Lynis output can get quite long. I've omitted most of the
log but kept the "Suggestions" portion. I think this is one of Lynis' greatest strengths. It offers
some helpful starting points for users interested in remediation. For example, Lynis
recommends we "Harden the system by installating at least one malware scanner." This can be
easily resolved by following the next step in this guide and installing antivirus software.
Removing Lynis Once Done

When you're completely done auditing your Ubuntu installation, you can remove Lynis using
the below rm commands.
~$ sudo rm -rf /path/to/lynis-master/

~$ sudo rm -rf /path/to/master.zip
Step 2
Protect Against Malware with ClamAV

ClamAV is an open-source antivirus engine used in various situations, including email
scanning, web scanning, and endpoint security. It provides several features Ubuntu users may
appreciate:
Command-line scanner. This will allow users to quickly scan files downloaded from the
internet from any terminal window.
Advanced database updater. ClamAV's virus database will update multiple times per day
with support for scripted updates and digital signatures.
Support for many archive formats. The ClamAV scanner is capable of safely analyzing Zip,
RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS, and other file formats.
Support for popular document formats. MS Office, MacOffice, HTML, Flash, RTF, and
PDFs.
Unlike Avast, a popular antivirus company that regularly exports personal user documents to
Avast servers, ClamAV scans filesystems for malware signatures locally. That's really all it
does. It does not, by any means, provide bulletproof protection against highly sophisticated
attacks, just common malware signatures found in the wild.
It's been said that Linux operating systems don't need antivirus software. I mostly agree with
this statement. However, ClamAV is an excellent open-source project and may provide comfort
to users who prefer to know their OS is safely analyzed for malware several times a day.
Installing ClamAV
ClamAV is available in the Ubuntu repositories and can be installed using the sudo apt install
clamav command.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 10/23
~$ sudo apt install clamav
Reading package lists... Done

Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
menu
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
clamav-base clamav-freshclam libclamav7 libllvm3.9 libmspack0 libtfm1
Suggested packages:
clamav-docs libclamunrar7
The following NEW packages will be installed:
clamav clamav-base clamav-freshclam libclamav7 libllvm3.9 libmspack0 libtfm1
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 12.5 MB of archives.
After this operation, 50.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Scanning Directories with ClamAV

The ClamAV databases will update as soon as it's installed and several times a day thereafter.
The clamscan --help command can be used to view the scanners available options.
~$ clamscan --help
Clam AntiVirus Scanner 0.99.4

By The ClamAV Team: http://www.clamav.net/about.html#credits
(C) 2007-2018 Cisco Systems, Inc.
--help -h Print this help screen

--version -V Print version number
--verbose -v Be verbose
--archive-verbose -a Show filenames inside scanned archives
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--suppress-ok-results -o Skip printing OK files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY

--leave-temps[=yes/no(*)] Do not remove temporary files
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load
all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--allmatch[=yes/no(*)] -z Continue scanning within file after fin
--cross-fs[=yes(*)/no] Scan files and directories on other fil
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = di

--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--bytecode[=yes(*)/no] Load bytecode from the database

--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Car
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic
--phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (ph
--phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing mod
--partition-intersection[=yes/no(*)] Detect partition intersections in raw d
--algorithmic-detection[=yes(*)/no] Algorithmic detection
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-swf[=yes(*)/no] Scan SWF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-xmldocs[=yes(*)/no] Scan xml-based document files
--scan-hwp3[=yes(*)/no] Scan HWP3 files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclam
--detect-broken[=yes/no(*)] Try to detect broken executable files
--block-encrypted[=yes/no(*)] Block encrypted archives
--block-macros[=yes/no(*)] Block OLE2 files with VBA macros
--nocerts Disable authenticode certificate chain v
--dumpcerts Dump authenticode certificate chain in
--max-filesize=#n Files larger than this will be skipped a

--max-scansize=#n The maximum amount of data to scan for
--max-files=#n The maximum number of files to scan for
--max-recursion=#n Maximum archive recursion level for con
--max-dir-recursion=#n Maximum directory recursion level
--max-embeddedpe=#n Maximum size file to check for embedded
--max-htmlnormalize=#n Maximum size of HTML file to normalize
--max-htmlnotags=#n Maximum size of normalized HTML file to
--max-scriptnormalize=#n Maximum size of script file to normaliz
--max-ziptypercg=#n Maximum size zip to type reanalyze
--max-partitions=#n Maximum number of partitions in disk ima
--max-iconspe=#n Maximum number of icons in PE file to b
--max-rechwp3=#n Maximum recursive calls to HWP3 parsing
--pcre-match-limit=#n Maximum calls to the PCRE match functio

--pcre-recmatch-limit=#n Maximum recursive calls to the PCRE matc
--pcre-max-filesize=#n Maximum size file to perform PCRE subsi
--enable-stats Enable statistical reporting of malware
--disable-pe-stats Disable submission of individual PE sec
--stats-timeout=#n Number of seconds to wait for waiting a
--stats-host-id=UUID Set the Host ID used when submitting sta
--disable-cache Disable caching and cache checks for ha
To scan every file and directory, use the below command.
~$ sudo clamscan -r / --log=/tmp/clamav_report.log
This is the scanner command in its simplest form. Clamscan will recursively (-r) scan
everything (/) and save the scan report (--log) to the /tmp directory. Running such a scan can
take a considerable amount of time, hours if you're scanning terabytes of data. It's
recommended to run such scans overnight and view the results in the morning.
Malware Detections
As a quick demo for this article, I downloaded a malware repository from GitHub and ran
clamscan against the directory containing the malware.
~$ sudo clamscan -ir malware-master/
malware-master/Zeus/output/builder/bot.exe.txt: Win.Spyware.Zbot-1275 FOUND

malware-master/Zeus/output/builder/zsb.exe: Win.Trojan.Zbot-62846 FOUND
malware-master/Zeus/output/server/zsbcs.exe: Win.Trojan.Botnet-6 FOUND
malware-master/Zeus/output/client32.bin: Win.Spyware.Zbot-1275 FOUND
malware-master/Alina/Panel/gate1.php: Php.Malware.ProPOS-2 FOUND
malware-master/mirai/loader/bins/dlr.mpsl: Unix.Malware.Agent-1753181 FOUND
malware-master/mirai/loader/bins/dlr.spc: Unix.Malware.Agent-1753190 FOUND
malware-master/mirai/loader/bins/dlr.arm7: Unix.Malware.Agent-1753196 FOUND
malware-master/mirai/loader/bins/dlr.x86: Unix.Malware.Agent-1753191 FOUND
malware-master/mirai/loader/bins/dlr.sh4: Unix.Malware.Agent-1753186 FOUND
malware-master/mirai/loader/bins/dlr.ppc: Unix.Malware.Agent-1753179 FOUND
malware-master/mirai/loader/bins/dlr.arm: Unix.Malware.Agent-1768364 FOUND
malware-master/mirai/loader/bins/dlr.m68k: Unix.Malware.Agent-1753197 FOUND
malware-master/mirai/loader/bins/dlr.mips: Unix.Malware.Agent-1753182 FOUND
malware-master/mirai/dlr/release/dlr.mpsl: Unix.Malware.Agent-1753187 FOUND
malware-master/mirai/dlr/release/dlr.spc: Unix.Malware.Agent-1753199 FOUND
malware-master/mirai/dlr/release/dlr.arm7: Unix.Malware.Agent-1753512 FOUND
malware-master/mirai/dlr/release/dlr.sh4: Unix.Malware.Agent-1753174 FOUND
malware-master/mirai/dlr/release/dlr.ppc: Unix.Malware.Agent-1753492 FOUND
malware-master/mirai/dlr/release/dlr.arm: Unix.Malware.Agent-1753516 FOUND
malware-master/mirai/dlr/release/dlr.m68k: Unix.Malware.Agent-1753177 FOUND
malware-master/mirai/dlr/release/dlr.mips: Unix.Malware.Agent-1753194 FOUND
malware-master/Grum/builder+bin/out.exe: Win.Trojan.Vilsel-2129 FOUND
----------- SCAN SUMMARY -----------

Known viruses: 6556187
Engine version: 0.99.4
Scanned directories: 1594
Scanned files: 17195
Infected files: 23
Data scanned: 366.88 MB
Data read: 294.26 MB (ratio 1.25:1)
Time: 71.994 sec (1 m 11 s)
In my example command, I included the -i argument, which tells clamscan to print only files
detected by the scanner. We can see 17,195 files were scanned, 23 infections were detected,
and the process took 71 seconds to complete.
For more on ClamAV, check out the official documentation.
Step 3
Monitor Applications' Intenet Access with OpenSnitch

OpenSnitch is a Linux port of the popular macOS application firewall, Little Snitch. OpenSnitch
will give users a few seconds to allow or deny connections as they happen. Below is an
example of an OpenSnitch prompt.
The OpenSnitch network statistics interface provides an overview of all of the previously
allowed and denied connections.
Unfortunately, that's about all the interface has to offer at the moment. Later releases of
OpenSnitch will no doubt contain more features and control over how this information is
managed. While OpenSnitch is still very much in its infancy, I decided to include it in this
article. Windows 10 users who are more comfortable with graphical applications (GUI) may
find OpenSnitch useful for monitoring traffic originating from installed applications.
Command-line enthusiasts with an interest in raw, unfiltered packet analysis may prefer using
Tshark to monitor traffic.
Installing Dependencies
Use the below command to install the dependencies required to run OpenSnitch.
~$ sudo apt install protobuf-compiler libpcap-dev libnetfilter-queue-dev python3
Reading package lists... Done

Building dependency tree
Reading state information... Done
The following additional packages will be installed:
dh-python golang-1.10 golang-1.10-doc golang-1.10-go golang-1.10-race-detector
golang-race-detector-runtime golang-src libexpat1-dev libnetfilter-queue1 libn
libpython3.6-dev pkg-config python-pip-whl python3-dev python3-distutils pytho
Suggested packages:
bzr git mercurial subversion python-setuptools-doc
The following NEW packages will be installed:
dh-python golang golang-1.10 golang-1.10-doc golang-1.10-go golang-1.10-race-d
golang-race-detector-runtime golang-src libexpat1-dev libnetfilter-queue-dev l
libprotoc10 libpython3-dev libpython3.6-dev pkg-config protobuf-compiler pytho
python3-setuptools python3-wheel python3.6-dev
0 upgraded, 30 newly installed, 0 to remove and 0 not upgraded.
Need to get 52.1 MB of archives.
After this operation, 280 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Use go to clone the Protocol Buffers repository. This command will not produce an output in
the terminal.
~$ go get github.com/golang/protobuf/protoc-gen-go
Then, use Python3's pip to install the gRPC tools and other dependencies.
~$ python3 -m pip install --user grpcio-tools
Collecting grpcio-tools
Downloading https://files.pythonhosted.org/packages/fb/8f/fc0c7cf8a5ed2aea405a
100% |████████████████████████████████| 22.2MB 53kB/s

Collecting grpcio>=1.12.1 (from grpcio-tools)
Downloading https://files.pythonhosted.org/packages/1f/ea/664c589ec41b9e9ac6e20
100% |████████████████████████████████| 9.0MB 133kB/s
Collecting protobuf>=3.5.0.post1 (from grpcio-tools)
Downloading https://files.pythonhosted.org/packages/fc/f0/db040681187496d10ac50
100% |████████████████████████████████| 7.1MB 136kB/s
Collecting six>=1.5.2 (from grpcio>=1.12.1->grpcio-tools)
Downloading https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa
Collecting setuptools (from protobuf>=3.5.0.post1->grpcio-tools)
Downloading https://files.pythonhosted.org/packages/7f/e1/820d941153923aac1d49
100% |████████████████████████████████| 573kB 419kB/s
Installing collected packages: six, grpcio, setuptools, protobuf, grpcio-tools
Successfully installed grpcio-1.12.1 grpcio-tools-1.12.1 protobuf-3.6.0 setuptoo
Use go get github.com/evilsocket/opensnitch to clone the OpenSnitch GitHub repository.
~$ go get github.com/evilsocket/opensnitch
package github.com/evilsocket/opensnitch: no Go files in /home/tokyoneon/go/src/
Update the Golang PATH in the terminal using the below command. This will allow future
terminal sessions to know where Go binaries and projects are stored.
~$ echo 'export GOPATH=$HOME/go' >> ~/.bashrc
Then, use the source command to update the current Golang PATH. This will allow the
preceding commands to execute properly.
~$ source ~/.bashrc
Configuring & Installing OpenSnitch

Use make, a utility that will automatically determine which pieces of OpenSnitch need to be
recompiled.
~$ make
make[1]: Entering directory '/home/tokyoneon/go/src/github.com/evilsocket/opensn

python3 -m grpc_tools.protoc -I. --python_out=../ui/opensnitch/ --grpc_python_ou
make[1]: Leaving directory '/home/tokyoneon/go/src/github.com/evilsocket/opensni
dep: WARNING: Unknown field in manifest: prune

The directory '/home/tokyoneon/.cache/pip/http' or its parent directory is not ow
The directory '/home/tokyoneon/.cache/pip' or its parent directory is not owned
Collecting grpcio==1.0.0 (from -r requirements.txt (line 1))
Downloading https://files.pythonhosted.org/packages/ba/f7/2138b9148b2d68431ebb0
100% |████████████████████████████████| 5.3MB 181kB/s
Collecting grpcio-tools==1.10.1 (from -r requirements.txt (line 2))
Downloading https://files.pythonhosted.org/packages/f0/f4/1e5a56b1c0ec2d802113c
100% |████████████████████████████████| 22.2MB 55kB/s
Collecting pyinotify==0.9.6 (from -r requirements.txt (line 3))
Downloading https://files.pythonhosted.org/packages/e3/c0/fd5b18dde17c12496585
100% |████████████████████████████████| 61kB 81kB/s
Collecting unicode_slugify==0.1.3 (from -r requirements.txt (line 4))
Downloading https://files.pythonhosted.org/packages/8c/ba/1a05f61c7fd72df85ae4
Collecting pyqt5==5.10.1 (from -r requirements.txt (line 5))
Downloading https://files.pythonhosted.org/packages/e4/15/4e2e49f64884edbab6f83
100% |████████████████████████████████| 107.8MB 13kB/s
Collecting configparser==3.5.0 (from -r requirements.txt (line 6))
Downloading https://files.pythonhosted.org/packages/7c/69/c2ce7e91c89dc073eb1aa
Requirement already satisfied: six>=1.5.2 in /home/tokyoneon/.local/lib/python3.
Collecting enum34>=1.0.4 (from grpcio==1.0.0->-r requirements.txt (line 1))
Downloading https://files.pythonhosted.org/packages/af/42/cb9355df32c69b553e72a
Collecting futures>=2.2.0 (from grpcio==1.0.0->-r requirements.txt (line 1))
Downloading https://files.pythonhosted.org/packages/cc/26/b61e3a4eb50653e8a733
Requirement already satisfied: protobuf>=3.0.0 in /home/tokyoneon/.local/lib/pyt
Collecting unidecode (from unicode_slugify==0.1.3->-r requirements.txt (line 4))
Downloading https://files.pythonhosted.org/packages/59/ef/67085e30e8bbcdd76e2f0
100% |████████████████████████████████| 235kB 142kB/s
Collecting sip<4.20,>=4.19.4 (from pyqt5==5.10.1->-r requirements.txt (line 5))
Downloading https://files.pythonhosted.org/packages/8a/ea/d317ce5696dda4df7c15
100% |████████████████████████████████| 71kB 80kB/s
Requirement already satisfied: setuptools in /home/tokyoneon/.local/lib/python3.
Installing collected packages: enum34, futures, grpcio, grpcio-tools, pyinotify,
Running setup.py install for futures ... done
Found existing installation: grpcio 1.12.1
Uninstalling grpcio-1.12.1:
Successfully uninstalled grpcio-1.12.1
Running setup.py install for grpcio ... done
Found existing installation: grpcio-tools 1.12.1
Uninstalling grpcio-tools-1.12.1:
Successfully uninstalled grpcio-tools-1.12.1
Running setup.py install for pyinotify ... done
Running setup.py install for unicode-slugify ... done
Running setup.py install for configparser ... done
Successfully installed configparser-3.5.0 enum34-1.1.6 futures-3.1.1 grpcio-1.0.0
Use the make install command with sudo to complete the installation.
~$ sudo make install

The directory '/home/tokyoneon/.cache/pip/http' or its parent directory is not ow
The directory '/home/tokyoneon/.cache/pip' or its parent directory is not owned
Processing /home/tokyoneon/go/src/github.com/evilsocket/opensnitch/ui
Installing collected packages: opensnitch-ui
Running setup.py install for opensnitch-ui ... done
Successfully installed opensnitch-ui-1.0.0b0
Starting OpenSnitch at Boot

To start OpenSnitch with every boot, using the systemctl command with the enable argument.
~$ sudo systemctl enable opensnitchd
Created symlink /etc/systemd/system/multi-user.target.wants/opensnitchd.service →
Reboot for the changes to take effect. OpenSnitch can be found in the icon tray. Click the
"Statistics" button to bring up the user interface.
As applications attempt to access the internet, OpenSnitch will prompt you with the ability to
allow or deny the activity.
Step 4
Regularly Monitor System Logs

Linux log files are stored in the /var/log/ directory. These files monitor system activity,
background daemons, kernel messages, application and server logs, authentication logs,
firewall logs, AppArmor logs, and much more.
To monitor logs in real time, use the find /var/log/ -type f $ -name "*.log" $ -exec tail -f "$file"
{} + command.
~$ find /var/log/ -type f $ -name "*.log" $ -exec tail -f "$file" {} +
==> /var/log/ufw.log <==

kernel: [ 3488.126537] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.
kernel: [ 3900.250931] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=104.193.1
==> /var/log/kern.log <==

==> /var/log/alternatives.log <==

update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/identify-im
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/stream strea
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/stream-im6
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/display dis
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/display-im6
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/montage mon
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/montage-im6
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/mogrify mog
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/mogrify-im6
update-alternatives 2018-06-26 21:01:55: run with --install /usr/bin/x-terminal-
==> /var/log/installer/casper.log <==

This disc is called:
'Ubuntu 18.04 LTS _Bionic Beaver_ - Release amd64 (20180426)'
Copying package lists...gpgv: Signature made Thu Apr 26 18:43:31 2018 UTC
gpgv: using RSA key D94AA3F0EFE21092
gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@
Reading Package Indexes... Done
Writing new source list
Source list entries for this disc are:
deb cdrom:[Ubuntu 18.04 LTS _Bionic Beaver_ - Release amd64 (20180426)]/ bionic m
Repeat this process for the rest of the CDs in your set.
==> /var/log/fontconfig.log <==

/usr/share/fonts/truetype/sinhala: skipping, existing cache is valid: 1 fonts, 0
/usr/share/fonts/truetype/tibetan-machine: skipping, existing cache is valid: 1
/usr/share/fonts/truetype/tlwg: skipping, existing cache is valid: 58 fonts, 0 d
/usr/share/fonts/truetype/ttf-khmeros-core: skipping, existing cache is valid: 2
/usr/share/fonts/truetype/ubuntu: skipping, existing cache is valid: 13 fonts, 0
/usr/share/fonts/type1: skipping, existing cache is valid: 0 fonts, 1 dirs
/usr/share/fonts/type1/gsfonts: skipping, existing cache is valid: 35 fonts, 0 d
/usr/local/share/fonts: skipping, existing cache is valid: 0 fonts, 0 dirs
/var/cache/fontconfig: cleaning cache directory
fc-cache: succeeded
==> /var/log/dpkg.log <==

2018-06-27 00:17:36 status installed apparmor-profiles:all 2.12-4ubuntu5
2018-06-27 00:17:36 trigproc man-db:amd64 2.8.3-2 <none>
2018-06-27 00:17:36 status half-configured man-db:amd64 2.8.3-2
2018-06-27 00:17:38 status installed man-db:amd64 2.8.3-2
2018-06-27 00:17:38 configure apparmor-utils:amd64 2.12-4ubuntu5 <none>
2018-06-27 00:17:38 status unpacked apparmor-utils:amd64 2.12-4ubuntu5
2018-06-27 00:17:38 status half-configured apparmor-utils:amd64 2.12-4ubuntu5
2018-06-27 00:17:38 status installed apparmor-utils:amd64 2.12-4ubuntu5
==> /var/log/unattended-upgrades/unattended-upgrades-shutdown.log <==
==> /var/log/boot.log <==

/dev/mapper/ubuntu--vg-root: clean, 164324/10379264 files, 1928530/41497600 bloc
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Volume group "ubuntu-vg" not found
Cannot process volume group ubuntu-vg
Reading all physical volumes. This may take a while...
Found volume group "ubuntu-vg" using metadata type lvm2
2 logical volume(s) in volume group "ubuntu-vg" now active
/dev/mapper/ubuntu--vg-root: clean, 164321/10379264 files, 1928587/41497600 bloc
==> /var/log/apt/term.log <==

Unpacking apparmor-utils (2.12-4ubuntu5) ...
Selecting previously unselected package apparmor-profiles.
Preparing to unpack .../apparmor-profiles_2.12-4ubuntu5_all.deb ...
Unpacking apparmor-profiles (2.12-4ubuntu5) ...
Setting up python3-libapparmor (2.12-4ubuntu5) ...
Setting up python3-apparmor (2.12-4ubuntu5) ...
Setting up apparmor-profiles (2.12-4ubuntu5) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up apparmor-utils (2.12-4ubuntu5) ...
Log ended: 2018-06-27 00:17:38
==> /var/log/apt/history.log <==

Commandline: apt-get remove apparmor-profiles
Requested-By: tokyoneon (1000)
Remove: apparmor-profiles:amd64 (2.12-4ubuntu5)
Commandline: apt-get install apparmor-profiles apparmor-utils

Requested-By: tokyoneon (1000)
Install: python3-libapparmor:amd64 (2.12-4ubuntu5, automatic), apparmor-profiles
==> /var/log/gpu-manager.log <==

Skipping "/dev/dri/card0", driven by "vboxvideo"
Skipping "/dev/dri/card0", driven by "vboxvideo"
Does it require offloading? no
last cards number = 1
Has amd? no
Has intel? no
Has nvidia? no
How many cards? 1
Has the system changed? No
Single card detected
==> /var/log/auth.log <==

CRON[7210]: pam_unix(cron:session): session closed for user root
sudo: pam_unix(sudo:auth): conversation failed
sudo: pam_unix(sudo:auth): auth could not identify password for [tokyoneon]
sudo: tokyoneon : TTY=pts/3 ; PWD=/home/tokyoneon ; USER=root ; COMMAND=/bin/su
sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
su[7307]: Successful su for root by root
su[7307]: + /dev/pts/3 root:root
su[7307]: pam_unix(su:session): session opened for user root by (uid=0)

systemd-logind[859]: Existing logind session ID 2 used by new audit session, igno
systemd-logind[859]: New session c3 of user root.
==> /var/log/bootstrap.log <==

update-initramfs: deferring update (trigger activated)
Setting up ubuntu-minimal (1.417) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for systemd (237-3ubuntu10) ...
Processing triggers for ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Processing triggers for initramfs-tools (0.130ubuntu3) ...
==> /var/log/auth.log <==

su[7307]: pam_unix(su:session): session closed for user root
sudo: pam_unix(sudo:session): session closed for user root
systemd-logind[859]: Removed session c3.
sudo: tokyoneon : TTY=pts/3 ; PWD=/home/tokyoneon ; USER=root ; COMMAND=/bin/su
sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
su[7329]: Successful su for root by root
su[7329]: + /dev/pts/3 root:root
su[7329]: pam_unix(su:session): session opened for user root by (uid=0)
systemd-logind[859]: Existing logind session ID 2 used by new audit session, igno
systemd-logind[859]: New session c4 of user root.
This command will find any file (-type f) with the .log extension ($ -name "*.log" $) in the
/var/log directory and use tail to print updates in the files as they occur (-f). Each log file will
be encased in ascii arrows (==> filename.log <==). Anyone looking for find abnormalities on
their system will find this useful.
We've Barely Scratched the Surface!
That concludes our series on strengthening your primary Ubuntu system...for now.
As I stated at the start of this series, this guide isn't a complete or comprehensive approach to
securing a Linux system. There are many Kernel level modifications users can do to further
improve Ubuntu's susceptibility to various attacks. We can also do more to secure the
bootloader, enforce better login password policies, secure shared memory, browse the internet
anonymously, and so much more.
Linux operating systems have incredible potential as a platform for security-focused users. I
encourage readers to download the Beginning Ubuntu for Windows and Mac Users and
Practical Linux Security Cookbook to gain a better understanding of the Ubuntu OS and its
inner workings.
Don't Miss: How to Protect Yourself from Being Hacked (Advice from a Real
Hacker)
Want to start making money as a white hat hacker? Jump-start your hacking career with our
2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and
get over 60 hours of training from cybersecurity professionals.
Buy Now (90% off) >
Other worthwhile deals to check out:
97% off The Ultimate 2021 White Hat Hacker Certification Bundle
99% off The 2021 All-in-One Data Scientist Mega Bundle
98% off The 2021 Premium Learn To Code Certification Bundle
62% off MindMaster Mind Mapping Software: Perpetual License
Cover image by Justin Meyers/Null Byte; Screenshots by tokyoneon/Null Byte
WonderHowTo.com About Us Terms of Use Privacy Policy
Don't Miss:
All the New iOS 16.5 Features for iPhone You Need to Know About
Your iPhone Has a Secret Button That Can Run Hundreds of Actions
7 Hidden iPhone Apps You Didn’t Know Existed
You’re Taking Screenshots Wrong — Here Are Better Ways to Capture Your iPhone’s Screen
Keep Your Night Vision Sharp with the iPhone’s Hidden Red Screen
Your iPhone Finally Has a Feature That Macs Have Had for Almost 40 Years
If You Wear Headphones with Your iPhone, You Need to Know About This
By using this site you acknowledge and agree to our terms of use & privacy policy.
We do not sell personal information to 3rd parties.

Locking Down Linux - Using Ubuntu As Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) Null Byte - WonderHowTo

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Locking Down Linux - Using Ubuntu As Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) Null Byte - WonderHowTo

Uploaded by

Copyright:

Available Formats

26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring)

toring) « Null Byte…

CYBER WEAPONS LAB  

Using Ubuntu as Your Primary OS, Part 4

Part 3: Using Ubuntu as Your Primary OS (App Hardening & Sandboxing)

Audit Your System with Lynis

~$ sudo wget 'https://github.com/CISOfy/lynis/archive/master.zip'

Location: https://codeload.github.com/CISOfy/lynis/zip/master [following]

(237 KB/s) - ‘master.zip’ saved [345734/345734]

~$ sudo unzip master.zip

Then, change (cd) into the newly created lynis-master/ directory:

~/lynis-master$ sudo chmod +x lynis

~/lynis-master$ sudo ./lynis -h

2007-2018, CISOfy - https://cisofy.com/lynis/

[+] Initializing program

Usage: lynis command [options]

--no-log : Don't create a log file

--reverse-colors : Optimize color display for light backgro

~/lynis-master$ sudo ./lynis audit system

[+] Initializing program

-[ Lynis 2.6.5 Results ]-

* Configure minimum password age in /etc/login.defs [AUTH-9286]

* Configure maximum password age in /etc/login.defs [AUTH-9286]

* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]

* Check DNS configuration for the dns domain name [NAME-4028]

* Install package apt-show-versions for patch management purposes [PKGS-7394]

* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]

* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]

* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]

* Enable process accounting [ACCT-9622]

* Enable sysstat to collect accounting (no results) [ACCT-9626]

* Enable auditd to collect audit information [ACCT-9628]

* Install a file integrity tool to monitor changes to critical and sensitive f

* Determine if automation tools are present for system management [TOOL-5002]

* Harden compilers like restricting access to root user only [HRDN-7222]

Lynis security scan details:

Hardening index : 67 [############# ]

Removing Lynis Once Done

~$ sudo rm -rf /path/to/lynis-master/

Protect Against Malware with ClamAV

~$ sudo apt install clamav

Reading package lists... Done

Scanning Directories with ClamAV

Clam AntiVirus Scanner 0.99.4

--help -h Print this help screen

--tempdir=DIRECTORY Create temporary files in DIRECTORY

--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = di

--bytecode[=yes(*)/no] Load bytecode from the database

--max-filesize=#n Files larger than this will be skipped a

--pcre-match-limit=#n Maximum calls to the PCRE match functio

To scan every file and directory, use the below command.

~$ sudo clamscan -r / --log=/tmp/clamav_report.log

~$ sudo clamscan -ir malware-master/

malware-master/Zeus/output/builder/bot.exe.txt: Win.Spyware.Zbot-1275 FOUND

----------- SCAN SUMMARY -----------

For more on ClamAV, check out the official documentation.

Monitor Applications' Intenet Access with OpenSnitch

~$ sudo apt install protobuf-compiler libpcap-dev libnetfilter-queue-dev python3

Reading package lists... Done

~$ python3 -m pip install --user grpcio-tools

100% |████████████████████████████████| 22.2MB 53kB/s

Use go get github.com/evilsocket/opensnitch to clone the OpenSnitch GitHub repository.

package github.com/evilsocket/opensnitch: no Go files in /home/tokyoneon/go/src/