On Mon, 2007-10-22 at 11:48 -1000, Dave Burns wrote: > On 10/21/07, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote: > > On Sunday 21 October 2007 22:38:52 Dave Burns wrote: > > > > > > You can trust the results if you reboot your system from a CD, > > > > >From my experience, rebooting a hacked system is not a pretty good idea, > > Exactly. So there are three contexts in which you are using the tools: > > 1) Not sure you've been hacked, just suspicious or vigilant. > 2) Sure you've been hacked, have not yet rebooted, looking for information. > 3) Sure you've been hacked, rebooted using a CD (e.g. knoppix) or > other known-good /. > > In situation 1 and 2, you can't totally trust your tools, unless > they're giving you bad news. In situation 3 your can trust the tools > as much as you can trust the "known-good /" where they are located. So > you're never totally sure you're in the clear. > > I guess the truly paranoid might boot from a CD and do an audit > periodically, I guess that might make me feel pretty confident. Hard > to automate it (and may open up new vulnerabilities), no one wants it > happening during ordinary working hours, and I don't want to be doing > it by hand outside ordinary hours. Yuck. I keep a write-protectable USB FLASH disk with necessary utilities on it such as netstat, ls, ps, rm, chattr, lsattr, find, chkrootkit, etc. I plug it in, mount it (typically at /media/DeHack) and do forensics such as # /media/DeHack/bin/netstat -lpn That way I know I'm using an uncompromised version of the utilities I need. With F7 and such, you could boot a live CD of the system and do your forensics that way, but you won't see the hacked network stuff since the hacked system won't be booted and the suspect stuff won't be running. It would be a good way to get uncompromised versions of the programs onto your forensics media, however. Best bet: Unplug the suspect machine from your network, plug in your dehacking tools drive (write protected, of course) and have at it. > >To evalue my general system security I use babel > > Is that comparable to nagios, or more security oriented? > > gracias, > Dave > ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Memory is the second thing to go, but I can't remember the first! - ---------------------------------------------------------------------- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list