Re: No Security is Bad Security:

From: Kevin Day (toastyat_private)
Date: Tue Feb 02 1999 - 23:50:20 PST

Next message: C.J. Oster: "More oshare testing."

Previous message: Richard Kail: "Re: [patch] /proc race fixes for 2.2.1 (fwd)"
Maybe in reply to: John \: "No Security is Bad Security:"
Next in thread: Jan B. Koum: "Re: No Security is Bad Security:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> Mistakes Made in Incidence Response:
> -----------------------------------
>
> 1) Don't log in as root on a machine that most likely has been
> compromised. Bsd things can happen.
>
> 2) Don't go around blithely executing binaries. (I feel rather stupid
> about that)
>
> 3) Do *immediately* take the machine offline, and mount the disks on
> another system for analysis.


If mounting on another system, and your OS supports it, mount with the
'noexec' option, to make sure you don't accidently infect another system, as
well as the rdonly flag to make sure you don't damage evidence. You may also
want to consider 'noatime', to keep things really pristine, if you don't go
'ro'.

             noexec  Do not allow execution of any binaries on the mounted
                     file system.  This option is useful for a server that has
                     file systems containing binaries for architectures other
                     than its own.



Kevin

Next message: C.J. Oster: "More oshare testing."
Previous message: Richard Kail: "Re: [patch] /proc race fixes for 2.2.1 (fwd)"
Maybe in reply to: John \: "No Security is Bad Security:"
Next in thread: Jan B. Koum: "Re: No Security is Bad Security:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:22 PDT