Mike wrote, > But my credo in regards to security is: better to be > over-aware than to assume that everything is doing just fine while it - in > reality - isn't.
Being as aware as possible is a good thing, but, knowing myself, I try to avoid the boy-who-cried-wolf scenario. I've got lots of email, and if I get regular email updates about what's in my tmp directories, I know that I'm probably going to start ignoring them. I already ignore most of my postmaster undeliverable messages :) I do agree that the tmp directories are places where files will be placed in the event of a compromise. However, in most cases, other files will also be compromised. Your binaries and startup scripts are the most important. I get around this problem by having multiple copies of fcheck running. One copy keeps track of everything in /etc. I get emails from that fcheck just about every day, so I ignore most of them (well, I do examine them, quickly... so I'm bound to miss things). I have a second copy of fcheck that tracks binaries and startup scripts - stuff that should never change unless I'm patching the system. Those emails I watch for like a hawk - if I get one of those, and I haven't been patching, I know I've been compromised. I would suggest that for at least a little while you run fcheck on the entire filesystem. It will help to familiarize you with what files are altered when certain things are happening on your raq. Then you can tailor fcheck to ignore what you don't want, and do what is best for your situation. In addition to fcheck, you may want to do things like schedule chkrootkit to run once a day, and schedule regular emails of ps lists and netstat. Snort is a good idea, too. Mike has some really good ideas... like that thingy he designed to email him whenever someone tries to run the compiler :) Redundancy and layers are keys to security. Never depend on one app. Kevin _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
