Updating the Air-Gapped System

miroR · 2017-06-27 17:23:44

title: Updating the Air-Gapped System
and some actual virus removal
---
This is a text that I had prepared three days ago, but hardware failure and complexity of the installation methods that I chose... and, I'm posting this only today... Just bear in mind the delay.

Also the other two topics were prepared three days ago. Sorry for the inconvenience.
---

Air-Gapped Devuan Install, Tentative
https://dev1galaxy.org/viewtopic.php?id=746

sans-dbus, Questions, Tips and Tricks on its Implementation
https://dev1galaxy.org/viewtopic.php?id=761

I'll use the two topics that I have been writing yesterday and today, to make a tip on updating the air-gapped master machine.

Just how many of you users and how often get the feeling, or come to ascertain to be the truth, that after having visited some website, or gone/done something else, whatever, on the internet, that something in your system is not right anymore...

Surely people experiencing escapades like these in their system:

System attacked, Konqueror went on window-popping spree!
https://forums.gentoo.org/viewtopic-t-905472.html

or

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-9 … ml#7895428
( where find Schmoog and Yooch in (What?) Action )

or

Strange script planted with Bash
https://www.croatiafidelis.hr/foss/cap/ … ange-bash/
( and links from there )

are not so very common, but neither are they (or should I say: you) too rare to come across.

So how about being able to keep your system essentially as it was when you installed it offline, and from a verifiable and highly trusted sources like the Devuan install DVD? As it was in the sense of reliability and verifiability.

Well, I've just made a topic about Air-Gapping Devuan, and I want to make an addition on the actually more laborious and generally at least somewhat time-consuming daily to weekly (which depends on the tasks you do online) routine of updating the Air-Gapped Devuan machine with what you need to keep from the clone of it that you go to internet with.

I'm not going to repeat what I already wrote elsewhere, just show you by example how it can be done.

In fact, there could be at least a somewhat better way of Air-Gapping/Cloning than I do, but only if you can afford it. And that is getting yourself a one-way connection from the air-gapped to the online clone (which reliably does not let any traffick from the clone to happen, some so called one-way <whatever> reportedly mess it up), but I'm so poor at this time that I can't even afford to go and buy me a Lime2 yet, or and extra USB stick...

But even if you have that one way connection which cuts your efforts significantly because with it you can more quickly dd ("man dd") clone you Air-Gapped onto the online machine to completely overwrite the system partitions of the clone... [But even if you have that one way connection], you still need to selectively keep some stuff from the clone which you did whatever you do online with, and save it, and you have to save that stuff before you overwrite the clone clean!... That's the point!

And you have to save that stuff into the Air-Gapped (and some of it possibly elsewhere), so you can have (the part that you need again when you are online) all that which you gathered/downloaded/noted/whatever while you were online, [so you can have it] again, after having archived it, now redeployed, and in good healthy conditions, [so you can have it again] in your online machine, which have been in the meantime, in all other respects, completely recreated from the verifiable state of your Air-Gapped master machine.

So here goes my example of how I do it.

I have just, with a backup script, which you can probably easily figure out how to make a similar one for your needs, made these archives:

# ls -ABRgo
.:
total 928476
-rw-r--r-- 1   2351036 2017-06-24 13:13 Cmn_src_miroR_tshark-hosts-conv_170624_gdO.tar.gz
-rw-r--r-- 1    849401 2017-06-24 13:13 etc_170624_gdO.tar.gz
-rw-r--r-- 1  53011535 2017-06-24 13:16 mr_170624_gdO.tar.gz
-rw-r--r-- 1     18053 2017-06-24 13:15 root_170624_gdO.tar.gz
-rw-r--r-- 1       941 2017-06-24 13:24 SUMS
-rw-r--r-- 1       321 2017-06-24 14:00 SUMS.log
-rw-r--r-- 1     28261 2017-06-24 13:13 ulb_170624_gdO.tar.gz
-rw-r--r-- 1 358059023 2017-06-24 13:14 var_170624_gdO.tar.gz
-rw-r--r-- 1 334447229 2017-06-24 13:24 var_cache_170624_gdO.tar.gz
-rw-r--r-- 1  37119090 2017-06-24 13:23 var_lib_apt_170624_gdO.tar.gz
-rw-r--r-- 1 164830030 2017-06-24 13:15 var_lib_clamav_170624_gdO.tar.gz
-rw-r--r-- 1     13531 2017-06-24 13:16 var_mail_mr_170624_gdO.tar.gz

And now, line by line:

total 928476

That's some more than 900M. But contains likely all that I will need.

And this:

-rw-r--r-- 1   2351036 2017-06-24 13:13 Cmn_src_miroR_tshark-hosts-conv_170624_gdO.tar.gz

is my update of the:
https://github.com/miroR/tshark-hosts-c … ag/v0.99.2
That one actually is not on the system partition. But it is important to me.

This is entire /etc :

-rw-r--r-- 1    849401 2017-06-24 13:13 etc_170624_gdO.tar.gz

Not entire /home/mr, but stuff that I likely don't need, I put in a /home/mr/SOME-DIR and I add " --exlude=SOME-DIR when I tar czf the /home/mr :

-rw-r--r-- 1  53011535 2017-06-24 13:16 mr_170624_gdO.tar.gz

50M is not so much, lots of recesses and angles in there need to be perused for copying or, after untar'ing, rsyncing into the master's /home/mr/ ...

The /root, a must for archiving of course:

-rw-r--r-- 1     18053 2017-06-24 13:15 root_170624_gdO.tar.gz

The SUMS, just sha256, absolutely must match. There are no excuses there!

-rw-r--r-- 1       941 2017-06-24 13:24 SUMS
-rw-r--r-- 1       321 2017-06-24 14:00 SUMS.log

Ah, the new scripts that I realized that I needed for the online... :

-rw-r--r-- 1     28261 2017-06-24 13:13 ulb_170624_gdO.tar.gz

The /var . I keep the logs!

-rw-r--r-- 1 358059023 2017-06-24 13:14 var_170624_gdO.tar.gz

No stinking idiot is going to be telling me that I spam, like the idiots from my local providers invented that I did, and never replied when that alleged spamming happened!
https://forums.gentoo.org/viewtopic-t-9 … ml#7682770

This one (and the next one below):

-rw-r--r-- 1 334447229 2017-06-24 13:24 var_cache_170624_gdO.tar.gz

will very likely suffice, in the future (I mean two like those), instead of all my exercize in the earlier topic, the yesterday's one:
Air-Gapped Devuan Install, Tentative
But the principles behind all of this Air-Gapping tentative remain very well like I explained in it...

See my note at the item just above, it applies to this item too:

-rw-r--r-- 1  37119090 2017-06-24 13:23 var_lib_apt_170624_gdO.tar.gz

And this is simply /var/lib/clamav . Obviously necessary.

-rw-r--r-- 1 164830030 2017-06-24 13:15 var_lib_clamav_170624_gdO.tar.gz

And this is also necessary, else the system mail (root's as well, which goes to user mr, I will reconfigure this, but currently it would be lost if I don't copy this over into the mbox /var/mail/mr ofthe Air-Gapped system.

-rw-r--r-- 1     13531 2017-06-24 13:16 var_mail_mr_170624_gdO.tar.gz

But I can't go straight into updating my Air-Gapped with this stuff. First I want to check these with clamav. And I'll do that in the cloned machine. Less of a risk, because there is no such perfection with the intruders either, my cloned machine is likely not just yet and already compromised again... Because intrusions always show their disorderly signs, only less and less obvious ones as our times roll into the future... Those blackhats are getting ever smarter, only not that smart, I hope... Do compare the difference in the obviousness of the intrusions in the three links at the top! And the last, the latest would have become pretty bad and dangerous, maybe the most dangerous of the three. Except that... I don't use that system any more... for that reason.

So I want to check these with clamav. And in the cloned machine (notice that I write in the Air-Gapped, and but for that task and little else if anything, no other work I do in the cloned machine, until it is completely overwritten with the master dd dumps, updated master dd dumps of course)...

[And in the cloned machine] I'll run:

# for i in $(ls -1 *.tar.gz); do ls -l $i; tar tf $i | head -5; read FAKE; done ;

which is preliminary to see what I would get, and then:

# for i in $(ls -1 *.tar.gz); do ls -l $i; tar xf $i | head -5; read FAKE; done ;

( see 's/t/x/' there ).

And then:

# mkdir CHECK
# mv -iv */ CHECK/

and finally:

# clamscan -r -i CHECK /var/log/clamav/clamscan_$(date +%y%m%d_%H%M)_the_update.log

I am aware that this does not check it, say, for rootkits, but I'm very much afraid that the rootkits are more in the wild than what rkhunter is aware of...

And, anyway, who can protect you from stuff like this? Have a look:

phpBB Strange White Space problem
https://forums.gentoo.org/viewtopic-t-1 … ml#7838702
where my scripts that I had posted couldn't possibly work anymore because, as I elude, for peaceful euphemism, was the phpBB fault... And it consisted in replacing the plain ASCII 0x20 SPACE, with Unicode's:

U+00A0 c2 a0 NO-BREAK SPACE

But I sincerely hope such treason and bias, to the level of doing harm to members of your own community is not going to develop in Devuan community. I hope... I do hope, even knowing that the most known person in the history of the world lived with a traitor nearby, till the final betrayal, and torture and death...

But, we're all doing what we can.

Clamav found something and this is how I updated it (of course, the options were first: " -nav --delete", and only then the below):

# rsync -av /mnt/h_Ref2/170624_Add/170624_gdO/ /Cmn/m/B/170624_gdO/
sending incremental file list
./
clamscan_170624_1530_the_update.log
clamscan_170624_1608_the_update.log
clamscan_170624_1654_clean.log
history_170624_1700_gdOv
mr_170624_gdO_CLEAN.tar.gz

sent 52,766,884 bytes received 114 bytes 11,725,999.56 bytes/sec
total size is 1,003,486,450 speedup is 19.02
#

The 4 founds are all from the idiotic provider of mine (
T-com, privitized with the stolen moneys by former yugoslavian regime worst people in power that plundered the country around the time that Croatia gained independence from that despicable conglomerate-state, which (renamed "Croatian" T-com) is only nominally German-owned company, the German T-com being a way to launder money for the real shareholders...
This firm holds some 80% of share of the market in Croatia by sly and brute force means even though provides worst kind of service, and it may be hard to switch away from and go to some other provider)...

And a company of such stature affords to send these viri --how can a respectable mail server non detect these?... I never, I'll repeat: never, got any virus from https://www.plus.hr who host my www.CroatiaFidelis.hr NGO domain, and my miro.rovis @ <that domain> email address-- ...

So, these the 4 founds, all from that idiotic provider of mine:

# cat clamscan_170624_1608_the_update.log

HECK/mr/Maildir/.miroslavrovis1@zghthr.ththr-spam/new/1497451388.M191923P916V000000000000FC00I000000000030BC1B_0.gd0v,S=84115: Doc.Downloader.Jaff-6329915-0 FOUND
CHECK/mr/Maildir/.miroslavrovis1@zghthr.ththr-spam/new/1496056154.M304798P16485V000000000000FC00I000000000030B385_0.gd0v,S=95520: Doc.Downloader.Jaff-6329915-0 FOUND
CHECK/mr/Maildir/.miroslavrovis1@zghthr.ththr-spam/new/1497451396.M540165P1455V000000000000FC00I000000000030BC21_0.gd0v,S=84727: Doc.Downloader.Jaff-6329914-0 FOUND
CHECK/mr/Maildir/.miroslavrovis1@zghthr.ththr-spam/cur/1495636729.M683899P30849V000000000000FC00I000000000030B15C_0.gd0v,S=100000:2,: Doc.Downloader.Jaff-6329915-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6298541
Engine version: 0.99.2
Scanned directories: 940
Scanned files: 7214
Infected files: 4
Data scanned: 1036.48 MB
Data read: 1031.12 MB (ratio 1.01:1)
Time: 321.662 sec (5 m 21 s)

That means I first had to remove those exact files (now's actual paste from the history_1706xxx above --because I may have made a mistake, and will have a question related to it):

  754  ls -l $(cat /var/log/clamav/clamscan_170624_1608_the_update.log  | grep FOUND | sed 's/: Doc\.Downloader\.Jaff-6329914-0 FOUND//' | sed 's/: Doc\.Downloader\.Jaff-6329915-0 FOUND//')
  755  for i in $(ls -1 $(cat /var/log/clamav/clamscan_170624_1608_the_update.log  | grep FOUND | sed 's/: Doc\.Downloader\.Jaff-6329914-0 FOUND//' | sed 's/: Doc\.Downloader\.Jaff-6329915-0 FOUND//')); do clamscan -r -i - ; done ;
  756  for i in $(ls -1 $(cat /var/log/clamav/clamscan_170624_1608_the_update.log  | grep FOUND | sed 's/: Doc\.Downloader\.Jaff-6329914-0 FOUND//' | sed 's/: Doc\.Downloader\.Jaff-6329915-0 FOUND//')); do cat $i | clamscan -r -i - ; done ;
  757  ls -l $(cat /var/log/clamav/clamscan_170624_1608_the_update.log  | grep FOUND | sed 's/: Doc\.Downloader\.Jaff-6329914-0 FOUND//' | sed 's/: Doc\.Downloader\.Jaff-6329915-0 FOUND//')
  758  mkdir Test/
  759  mv -vi $(cat /var/log/clamav/clamscan_170624_1608_the_update.log  | grep FOUND | sed 's/: Doc\.Downloader\.Jaff-6329914-0 FOUND//' | sed 's/: Doc\.Downloader\.Jaff-6329915-0 FOUND//') Test/
  760  ls -l Test/
  761  clamscan -r -i Test/
  762  clamscan -r -i Test/
  763  bg
  764  ls -l Test/
  765  ls -lh Test/
  766  cat /var/log/clamav/clamscan_170624_1608_the_update.log
  767  clamscan -r -i CHECK/mr/Maildir/.miroslavrovis1\@zghthr.ththr-spam/ |& tee /var/log/clamav/clamscan_$(date +%y%m%d_%H%M)_clean.log
  768  bg
  769  ls -l
  770  ls -l CHECK/mr/
  771  cd CHECK/
  772  tar tf ../mr_170624_gdO.tar.gz  | head -5
  773  tar czf ../mr_170624_gdO_CLEAN.tar.gz mr/
  774  ls -l ../mr_170624_gdO.tar.gz  ../mr_170624_gdO_CLEAN.tar.gz 
  775  history > ../history_$(date +%y%m%d_%H%M)_$(hostname)

If anyone can follow above, my question is, was the line that contains:

cat $i | clamscan -r -i -

right... I wanted to check if it found anything... But I'm not an expert. Maybe to cat a contaminated file is bad... And also how bad are these? But if it's too much I'm asking, forget it...

Anyway, the rest is removing those, and making the CLEAN archive.

Really glad I didn't try it in the master Air-Gap machine, on the other hand! Phew!

I forgot I should have expected to find stull like this. Possibly there is a break necessary now with this topic. Also because I'm struggling to make the other two topics this day, so I don't have to change the "today"s which I already wrote in the prepared texts.

But I guess the example is already mostly clear...

The officially official Devuan Forum!

#1 2017-06-27 17:23:44

Updating the Air-Gapped System

Board footer