[lug] Weird permission changing

[Rob Nagler]

Chip Atkinson writes:
> On a related note, I was thinking of ways to make that machine more secure
> without crippling performance.  I thought of mounting /bin /usr/bin /sbin
> and /usr/sbin read only, but also though of burning a cd with all that on
> it and mounting the cd instead.  It seems reasonable to me since many
> things would be in buffer cache after a little bit.

If someone could modify /bin, etc., they are in pretty deep at that
point.  I used to use tripwire. It's pretty good, but hard to
configure properly.

I have always been concerned with net downloads.  It would be trivial
for someone to add some malicious or insecure code to just one
infrequently used program.  How do I valdate random programs?  I don't
think I can.

Rather, I try to avoid running anything as root.  Another thing is to
trim down production machines.  I don't care so much that my
workstation gets cracked, but I do care if one of our servers with
customer credit cards, SSNs, etc. gets cracked.  I once stripped SunOS
to about 200 files.  That was all that was on the machine.  I knew the
reason for every file.  It was an interesting experience, but
certainly tedious.  I still had to trust the programs, but my trusted
computer base was small.

Auditing is critical.  You should process your logs nightly at least.
Our machines get attacked almost continuously.  I like to see the
messages in the logs.  We strip out common stuff, but we see every
incorrect login attempt, every relay attempt, etc.  Save all your
logs.  We're very paranoid so we save every ethernet packet for a full
week (on both sides of our production front-ends).  It's invaluable in
debugging, and we actually used it to follow an alleged crack, which
turned out not to be one, fortunately.

Rob