On Thu, May 08, 2008 at 09:02:48AM -0600, Chris Cameron wrote: > For our Windows/Solaris/Linux servers, we've had PWC say that they're > qualified and able to do post-intrusion forensics on our server(s). > I'm told this will go a long way in making everyone in our company as > well as our customers feel better. Partly because it's an outside > party verification of what happened, and partly because everyone knows > PWC. > > What PWC won't do for us is OpenBSD forensics; and thus the reason for > this email. Does anyone know of a company that does this? We like big > names, but management seems to understand that that isn't always > possible with OpenBSD.
You may get more useful responses if you are willing to share your location... is UpNIX your company, or do you happen to have an account with them? Have you considered http://www.openbsd.org/support.html? Of course, all those firms are somewhat smaller than PricewaterhouseCoopers. On the other hand, some developers may be found there (I found Otto Moerbeek and Reyk Floeter in the past; I'm sure I've missed some), and there are quite a few firms specializing in security in one way or another. I am not familiar with any of them, and any advice is likely to be location-dependent anyway. If you find an organization on http://www.openbsd.org/users.html that is in some way related to your own, they may be able to offer some assistance. This is probably not an option for you, but it may be easier to find an company that can audit/pentest OpenBSD than one that can do post-intrusion forensics. OpenBSD has some tricks that can make actually exploiting some common security vulnerabilities more difficult, but that is not necessarily a problem unless you require a pen-test to actually penetrate (as opposed to using it as a way of finding potentially exploitable bugs). If you are willing to undertake action yourself, note that AIDE is in ports (security/aide) and security(8) runs nightly (and can be tuned to watch additional files). Either can be very useful in post-intrusion analysis or even in detecting an intrustion, especially on systems were ,ery few files change legitimately - like on a firewall, where only log files will change. If so inclined, you could include AIDE on a bootable CD containing file checksums. I've also seen a Samhain port on ports@, and tools/sleuthkit is also available. This is not necessarily sufficient for a general range of systems; but if you use OpenBSD (only) as a router and firewall platform, this is a very good - and cheap - way of doing intrusion detection and forensics. Joachim -- TFMotD: quiz (6) - random knowledge tests
