[UFO Chicago] Sad crashing of Linux server

Jesse Becker jesse_becker@yahoo.com
Fri, 2 Aug 2002 13:13:53 -0700 (PDT)


--- Nick Moffitt <nick@zork.net> wrote:
> begin  Jesse Becker  quotation:
> > Check /etc/passwd for bogus accounts, and run tripwire

> You don't just "run tripwire", and if you've been keeping
> an offsite checksum list with it, you'll know what to do
> with that.

Correct, and I know you don't just 'run tripwire' without
taking the appropriate other measures (read-only copies of
the database, offsite and offline, etc).  For this, and the
rpm suggestion, I was more trying to offer ideas in case
something was forgotten, not offer a definiative howto.

> If a box was compromised, "verifying packages like rpm
> does" is useless, since they check against an on-disk

True again, but you can (and I've seen...once) someone make
backups of packages databases for this reason.  Not that it
matters, but an .RPM database is much more likely to have
been munged with bogus data than a .deb database--simply
for reasons of scale if nothing else.

> Your best bet is to compile a statically-linked busybox
> against
> uclibc, and then shuttle it over to use as a pristine set
> of tools.

Usually I prefer making a bit copy via dd onto tape, then
restore it a completely seperate and identical disk for
offline examination. Not always possible though...

--Jesse

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com