Re: securing system after giving away root password
From: matt_left_coast (not_at_chance.org)
Date: 09/20/05
- Next message: Douglas O'Neal: "Re: Use iptables to block all non-US ssh traffic"
- Previous message: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"
- In reply to:(deleted message) Huge: "Re: securing system after giving away root password"
- Next in thread: Huge: "Re: securing system after giving away root password"
- Reply:(deleted message) Huge: "Re: securing system after giving away root password"
- Reply: Douglas O'Neal: "Re: securing system after giving away root password"
- Reply: Unruh: "Re: securing system after giving away root password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Sep 2005 08:30:37 -0700
Huge wrote:
> matt_left_coast <not@chance.org> writes:
>>Huge wrote:
>>
>>> "Tuncay Sari" <no@spam.net> writes:
>>>
>>> [13 lines snipped]
>>>
>>>>How can I check that they ONLY changed some network files? How can I
>>>>know they didn't install any software infringing linux security? Or
>>>>copied my programs?
>>>
>>> You can't.
>>>
>>>>
>>>>Of course I'll have a detailed look at any entries in /var/log. But what
>>>>else can I do?
>>>
>>> Tripwire the machine in advance.
>>>
>>>
>>
>>It may well be that even if you have tripwire running, you can not be sure
>>it you were not exploited. The person that has root could do ANYTHING they
>>want, including editing tripwire logs, re-running tripwire to think that a
>>root kited system is the way everyting has ever been. Even if you have it
>>configured to send out Email, that could be prevented.
>>
>>One of the best things to do, in advance, is to have a remote log server
>>and have all logs, including sudo logs sent to a totally different server.
>>Then don't give out root, but only sudo and an end user password. Anything
>>that is done would be logged in such a way that the person could not alter
>>the logs....
>
> And all they have to do is bring the machine up standalone and your remote
> logging's worth squat.
>
>
Since the person had to log in as a user the command to go to standalone is
LOGGED. Since the person did not have the permission to go standalone, they
are caught.
You are wrong.
--
- Next message: Douglas O'Neal: "Re: Use iptables to block all non-US ssh traffic"
- Previous message: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"
- In reply to:(deleted message) Huge: "Re: securing system after giving away root password"
- Next in thread: Huge: "Re: securing system after giving away root password"
- Reply:(deleted message) Huge: "Re: securing system after giving away root password"
- Reply: Douglas O'Neal: "Re: securing system after giving away root password"
- Reply: Unruh: "Re: securing system after giving away root password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
