[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hardening checkpoints

Matt wrote:

> Kevin -
> 
> kevin bailey wrote:
>> 1. before attaching server to network install and configure tripwire.
>>
>> and could possibly put key executables on to CD-ROM and leave them in the
>> server.
> In todays same day exploits, using something like tripwire for H.I.D.S.
> may not prove useful... By the time tripwire runs a check it may already
> be too late, or the check may not return anything as the intruder could
> have cleaned up their mess by then or altered tripwire itself.  You may
> want to consider something such as SAMHAIN that performs real-time
> monitoring and will notify you immediately, as opposed to tripwire that
> will notify only 1X/day (or however often you run it).
> 
> Also consider an intrusion response plan - if Tripewire, or samhain,
> alert you - what are you going to do?  For example, we have decided that
> upon an alert the entire network will be pretty much locked down,
> disconnected from the WAN, or, at least, the compromised server is taken
> off-line until the postmortem analysis is complete and the security
> issue resolved (of course thats the 'nut shell' procedure, the real one
> is pages upon pages).  The faster you respond to the alert, the less
> potential for malicious damage.

good point - the response should be documented.

have a plan to switch to a hot-swap backup server - also backups are sent to
a backup server via rdiff-backup.

kev


> 
> Matt
Reply to: