On Thursday 11 October 2001 22.18, Patrick Nelson wrote:
----------------->>>> Anders Johansson... So are you saying having the rpm database on a removable medium or just rpm itself? Explain deeper please.
The database. This is a common advice with products like tripwire and others, that rely on checksums to see if files have been altered. Create the database and store it on a readonly medium, or at least a medium that's been removed physically from the computer. And obviously do this before going 'live' on the net. The rpm binary, or any binaries at all for that matter, shouldn't be used on the compromised system. Instead, you should take the hard drive and put it in a system that's known to be safe (generally a system without network connections) and be mounted noexec and readonly. Then you can match things with tripwire or against the rpm database you stored away earlier. And you can use things like Coroner's Toolkit and other anti-cracking suites on the drive (or preferably on a copy of the drive, so you can experiment without risking losing possible evidence in a coming trial against the cracker). The whole thing is really very complicated, but the above things are good to have as rules of thumb, before more advanced analysis takes place. And to James Oakley: yes, sometimes a production system can't be taken off-line just because the sysop gets paranoid. There should be risk analysis made before, and procedures put in place, so you know what alarm signals are sufficiently severe to allow loss of income by taking down the system. regards Anders