Jim Popovitch wrote:
> On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
>
>> The difference is that:
>>
>> a) These all run on the live system they are trying to protect,
>>
>
> Unless you configure them to only write to an offline mount point that
> is normally ro and only rw through external effort.... which is in
> Tripwire's best practices.
>
> -Jim P.
>
OK, this would work. The problem for me is that it would involve turning
the media r/w and updating the database every time I run apt-get to
install security updates, which I do once a week. If I was running a
large server farm and I was looking after it full time, this would be
OK, but my situation is that I have two machines, both for personal use,
and I don't want to have to devote my entire life to looking after the
security on them. The machines are a laptop for general use, and a
server which I use for testing and demonstrating small web-based
projects I do for people on a voluntary basis. They are connected to the
internet by ADSL, with only the server set to accept incoming connections.
The other night, I had my laptop switched on and a sound file I had
never heard before played through the speaker (it said 'hello' in
someone else's voice). I'm assuming I've been cracked and it was
someone's idea of a joke. I've halted the server in case that was their
way in, and I'm planning to reinstall both my machines this week, but
also looking for a more long term solution which I could put some time
into now and save myself and anyone else who wants to use it a lot of
trouble in the future.
What I'm looking for is a solution where I can do security updates every
week, as my first line of defence, but then have a fallback way of
detecting intrusions which I could run maybe every month, which doesn't
need too much work to keep on top of it once it's been set up. I can
probably find ways of improving my security using existing tools, but it
occurred to me that the system I described would be a pretty watertight
check on whether a system has been cracked, which is what I'm looking for.
andy baxter.
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org