bgiles at coyotesong.com
Thu Jun 14 07:37:22 MDT 2007
Ken MacFerrin wrote:
> 1) create a read-only cd or floppy from another machine with a trusted
> set of binaries (bash, ls, dd, file, w, find, lsof, md5sum, lsmod,
> strings, etc..).
If you have a pre-prepared disc, you'll want to use statically linked
versions of these programs. That will eliminate the possibility of a
compromised libc screwing with the results. iirc we actually saw this
on one of our intrusions so it's a real issue.
With debian it's not hard to set these up. You need to use apt-get to
grab the source for the gnu tools and a few additional apps like lsof,
then set a flag somewhere and rebuild the packages. (sorry, I don't
remember where the flag is located.) Unpack into a staging directory
then burn it to CD. Just be sure it's your path, not the usual
Ubuntu would be the same, and I'm sure RedHat, Gentoo, etc. are just as
Some additional notes:
1) this would also be a good time to write a script that automatically
does everything else listed.
2) run it immediately (or better yet, periodically), so you know what
'normal' looks like.
3) you could write the data to a website, not an attached USB drive. It
comes down to how much effort it would be to write the code vs. how much
effort it would be to do it manually. The latter could be pretty
significant if you do weekly snapshots of a number of systems.
More information about the LUG