Re: securing system after giving away root password

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 09/20/05 

Date: 20 Sep 2005 16:42:47 GMT

matt_left_coast <not@chance.org> writes:

>Huge wrote:

>> matt_left_coast <not@chance.org> writes:
>>>Huge wrote:
>>>
>>>> "Tuncay Sari" <no@spam.net> writes:
>>>>
>>>> [13 lines snipped]
>>>>
>>>>>How can I check that they ONLY changed some network files? How can I
>>>>>know they didn't install any software infringing linux security? Or
>>>>>copied my programs?
>>>>
>>>> You can't.
>>>>
>>>>>
>>>>>Of course I'll have a detailed look at any entries in /var/log. But what
>>>>>else can I do?
>>>>
>>>> Tripwire the machine in advance.
>>>>
>>>>
>>>
>>>It may well be that even if you have tripwire running, you can not be sure
>>>it you were not exploited. The person that has root could do ANYTHING they
>>>want, including editing tripwire logs, re-running tripwire to think that a
>>>root kited system is the way everyting has ever been. Even if you have it
>>>configured to send out Email, that could be prevented.
>>>
>>>One of the best things to do, in advance, is to have a remote log server
>>>and have all logs, including sudo logs sent to a totally different server.
>>>Then don't give out root, but only sudo and an end user password. Anything
>>>that is done would be logged in such a way that the person could not alter
>>>the logs....
>>
>> And all they have to do is bring the machine up standalone and your remote
>> logging's worth squat.
>>
>>

>Since the person had to log in as a user the command to go to standalone is
>LOGGED. Since the person did not have the permission to go standalone, they
>are caught.

>You are wrong.

He unplugged the network cable before he did that. network outages are not
unknown. A person who has physical possession of your computer has complete
control. It is very very difficult to protect the machine from them.

>--

Relevant Pages