[ Pobierz całość w formacie PDF ]

usage, it might be a user accident, a malicious user, or a worm program that has compromised
your system and is now scanning other systems. Various tools exist to measure memory and
disk usage: vmstat, free, df, du, all of which are covered by their respective man pages.
At the very minimum make a full system backup, and regularly backup config files and log
files, this can also help you pinpoint when an intrusion occurred (user account "rewt" was
added after the April 4th backup, but isn't in the March 20th backup). Once a system is
compromised typically a "rootkit" is installed, these consist of trojaned binaries, and are near
impossible to remove safely, you are better of formatting the disk and starting from scratch.
There is of course a notable exception to this rule, if you were diligent and used file/directory
integrity tools such as L5 you will be able to pinpoint the affected files easily and deal with
them.
Tripwire
Tripwire is no longer a open source tool, I have absolutely NO problems with commercial
software, but when you expect me to rely on a program to provide security, when I (nor
anyone else really) can easily view the source (it is available under some special license
agreement, probably an NDA) I must decline. Tripwire costs $70 approximately for Linux,
and is only available as an RPM package aimed at (tripwire is $500 for other operating
systems), which is rather on the high side for a piece of software that can easily be replaced
with alternatives such as L5. Tripwire is available at: http://www.tripwiresecurity.com/.
L5
There is an alternative to tripwire however, L5, available at: ftp://avian.org/src/hacks/, it is
completely free and very effective. I would definitely recommend this tool.
Gog&Magog
Gog&Magog creates a list of system file properties, owner, permissions, an MD5 signature of
the file and so (similar to tripwire). You can then have it automatically compare this and
ensure any changed files/etc come to your attention quickly. As well it makes recovering from
a break in simpler as you ll know which files were compromised. You can download
Gog&Magog from: http://www.multimania.com/cparisel/gog/.
confcollect
confcollect is a simple script that collects system information such as routing tables, rpm s
installed and the like. You can download it from: http://www.skagelund.com/confcollect/
124
Backups
Something people forget about, but you can compare the current files to old backups, many
backup formats (Tape, floppy, CDR, etc.) can be made read only, so a backup of a newly
installed system provides a good benchmark to compare things to. The utility  diff and
 cmp can be used to compare files against each other. See the backup session for a full
listing of free and commercial software.
125
Conducting audits
So you've secured your machines, and done all the things that needed to be done. So how do
you make sure it's actually doing what it is supposed to do, or prove to someone that it is as
secure as you say it is? Well you conduct an audit. This can be as simple as reviewing the
installed software, configuration files and other settings, or as complex as putting together or
hiring a tiger team (or ethical hackers, or whatever buzzword(s) you prefer) to actively try and
penetrate your security. If they can't then you did your job well (or they suck), and if they do
get in, you know what needs to be fixed (this is also a good method to get an increased
security budget, show how vulnerable you are to the CIO).
There are also many free tools and techniques you can use to conduct a self audit and ensure
that the systems react as you think they should (we all make errors, but catching them quickly
and correcting them is part of what makes a great administrator). Tools such as nmap, nessus,
crack, and so forth can be quickly employed to scan your network(s) and host(s), finding any
obvious problems quickly. I also suggest you go over your config files every once in a while
(for me I try to 'visit' each server once a month, sometimes I discover a small mistake, or
something I forgot to set previously). Keeping systems in a relative state of synchronization (I
just recently finished moving ALL my customers to Kernel 2.2.x, ipchains) which will save
you a great deal of time and energy.
Using the tools mentioned earlier in  Conducting baselines you can check file integrity using
tripwire, L5, backups or other methods. Another tool that is useful for check binaries is the
 strings commands, it shows readable information in binary files, and is especially useful if
someone forgot to run  strip on their binaries after compiling them (people have gotten lucky
and gotten the directory from which the exploit was compiled, allowing them to trace down
the exact user).
126
Backups
I don't know how many times I can tell people, but it never ceases to amaze me how often
people are surprised by the fact that if they do not backup their data, if the drive craters out on
them, or they hit 'delete' without thinking it will be gone. Always backup your system, even if
it's just the config files, you'll save yourself time and money in the long run.
To backup your data under Linux there are many solutions, all with various pro's and con's.
There are also several industrial strength backup programs, the better ones support network
backups which are a definite plus in a large non-homogenous environment .
Tar and Gzip [ Pobierz całość w formacie PDF ]