Re: Linux hardening

From: Jayson Anderson (sonick_at_sonick.com)
Date: 08/24/05

  • Next message: Kaveh Razavi: "RE: linux password cracking tools" 
    To: infosec@norwich.edu
Date: Wed, 24 Aug 2005 10:40:14 -0700

    Partially speaking, a good dent can be made by exhaustively culling
    through /etc of course, *.cf and *.conf can help, source code if applies
    to your site, all suid and sgid binaries (Modify:) in addition to a few
    site and host-specific executions of 'find' with the '-anewer',
    '-cnewer' and '-newer' flags primarily. Clever (read: site relevant)
    application of [elapsed] times can result in a couple text files that
    contain well beyond the majority of what will need integrity monitoring
    to some degree. Just need to sit for a spell and give thorough
    consideration to each line entity, with a few follow-up finds as needed.
    The rest is just recollection, critical apps and filesystem awareness in
    general. Add them altogether and that's a good dent in what will need
    monitoring...... 'best practice' and 'defacto' are too small of a
    scope versus host-wide, so thorough hardening and monitoring is almost
    always exhaustive and exhaustING..... at least in my experience where it
    is most critical that mishaps be held down to a minimum.....

    Jayson

    On Tue, 2005-08-23 at 13:04 -0400, Norwich University - Information
    Security wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    > Since we're talking about Linux hardening...
    >
    > What do folks suggest as far as files that should be monitored with
    > integrity checking tools? Obviously, tmp files and other frequently
    > changed files are out of the question, and it is also impractical to do
    > checking on all other files. Does anyone have a best practices list or
    > suggestions of what files are critical to monitor with integrity checking?
    >
    > /etc/passwd
    > /etc/shadow
    > /etc/group
    > /etc/pam.d/*
    > /var/www/<static web pages>
    > /etc/ssh/sshd_config
    >
    > ???
    >
    > - --
    >
    > @XXXXXX{========================>
    > Jason Wallace
    > Chief Information Security Officer
    > Norwich University
    >
    > http://www.norwich.edu
    >
    > "If you spend more on coffee than on information security,
    > then you will be hacked. What's more, you deserve to be hacked."
    >
    > -Richard Clarke
    > Special Advisor to the President on Cybersecurity
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.1 (GNU/Linux)
    >
    > iD8DBQFDC1clpmEqH5sLlmsRAhfcAJ9CLSqy5z+8c1EwCY0ZynQ5bpHkhACdGGiC
    > kBHohXrHJSQ/W23vXyV5R/o=
    > =B43u
    > -----END PGP SIGNATURE-----

  • Next message: Kaveh Razavi: "RE: linux password cracking tools"