1999-08-13-22:03:17 [EMAIL PROTECTED]:
> The standard way, run the checker frequently from cron off a CD that you
> burned, that includes the fingerprints of the files you want to check.
> And verify by hand every once in a while that a hacker hasn't unmounted
> the CD and replaced it with his modified checker and fingerprint files in
> the filesystem where the CD is normally mounted. But a really good hacker
> could install a modified kernel to redirect filesystem requests from your
> CD to his own hidden modified checker and fingerprints. There's no perfect
> solution if someone gets root on your machine, they can do anything. The
> last resort is to rebuild your machine every once in a while from scratch,
> but that just means they have to re-hack you every once in a while.
My favourite is to audit backups periodically. Still doesn't catch a
sufficiently thoroughly hacked system. The only way to catch one of those is
an offline analysis: boot an offline, known-good copy of the OS; run an
offline, known-good copy of the checker executable with offline libs against
and offline database.
Turns out if you install your system with a good software packaging tool like
e.g. RPM, and you keep your installation media archived, and keep archival
copies of packages of all software you add or update on the system, you can
perform precisely the needed analysis. Plus of course you're set to rebuild
the system if e.g. it throws a disk.
I don't like re-installing; if they got in before they can get in again, and
computers let things like this be automated. If I think someone might have
gotten in, I want to know how they got in.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
