at some point must update redhat kernel to prevent
remote users from crashing machine!
something convenient for exam-anxious students
/usr/share/config/kcmlocalerc saved as /usr/share/config/kcmlocalerc.rpmsave
/etc/X11/xdm/Xsetup_0 saved as /etc/X11/xdm/Xsetup_0.rpmsave
up to date patches
/etc/hosts.allow
/etc/hosts.deny
nmap
iptraf
tcpdump
ntop
http://ncb.intnet.mu/security/news03.htm
* tripwire like md5sum on any subdirectory recursively
without following softlinks
logs
/var/lib/rpm/
World-writable files, particularly system files, can be a security
hole if a cracker gains access to your system and modifies them.
Additionally, world-writable directories are dangerous, since they
allow a cracker to add or delete files as he wishes. To locate all
world-writable files on your system, use the following command:
root# find / -perm -2 ! -type l -ls
9.3. Backup Your RPM or Debian File Database
In the event of an intrusion, you can use your RPM database like you
would use tripwire, but only if you can be sure it too hasn't been
modified. You should copy the RPM database to a floppy, and keep this
copy off-line at all times. The Debian distribution likely has
something similar.
The files /var/lib/rpm/fileindex.rpm and /var/lib/rpm/packages.rpm
most likely won't fit on a single floppy. But if Compressed, each
should fit on a seperate floppy.
Now, when your system is compromised, you can use the command:
root# rpm -Va
to verify each file on the system. See the rpm man page, as there are
a few other options that can be included to make it less verbose.
Keep in mind you must also be sure your RPM binary has not been com
promised.
This means that every time a new RPM is added to the system, the RPM
database will need to be rearchived. You will have to decide the
advantages versus drawbacks.
Internal integrity system
duplicate static logs
like packages.rpm etc that should never change
what to do in case of a security breach
send e-mail to korte@lite.msu.edu for now
maybe help@lite.msu.edu?
display warning message to all instructors
with limited information about nature
of security breach
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>