Re: [cobalt-security] cobalt-security@xxxxxxxxxxxxxxx

["Kevin D" <kdlists@xxxxxxxxxxxxxxx>]

Mike wrote,

> But my credo in regards to security is: better to be
> over-aware than to assume that everything is doing just fine while it - in
> reality - isn't.

Being as aware as possible is a good thing, but, knowing myself, I try to
avoid the boy-who-cried-wolf scenario. I've got lots of email, and if I get
regular email updates about what's in my tmp directories, I know that I'm
probably going to start ignoring them. I already ignore most of my
postmaster undeliverable messages :)

I do agree that the tmp directories are places where files will be placed in
the event of a compromise. However, in most cases, other files will also be
compromised. Your binaries and startup scripts are the most important.

I get around this problem by having multiple copies of fcheck running. One
copy keeps track of everything in /etc. I get emails from that fcheck just
about every day, so I ignore most of them (well, I do examine them,
quickly... so I'm bound to miss things). I have a second copy of fcheck that
tracks binaries and startup scripts - stuff that should never change unless
I'm patching the system. Those emails I watch for like a hawk - if I get one
of those, and I haven't been patching, I know I've been compromised.

I would suggest that for at least a little while you run fcheck on the
entire filesystem. It will help to familiarize you with what files are
altered when certain things are happening on your raq. Then you can tailor
fcheck to ignore what you don't want, and do what is best for your
situation.

In addition to fcheck, you may want to do things like schedule chkrootkit to
run once a day, and schedule regular emails of ps lists and netstat. Snort
is a good idea, too. Mike has some really good ideas... like that thingy he
designed to email him whenever someone tries to run the compiler :)

Redundancy and layers are keys to security. Never depend on one app.

Kevin