On Tue, 2002-06-18 at 14:35, Justin Coffey wrote: > This is totally valid. It just sort of depends on what your agenda is > upon discovery of a compromise. I know it's not always the best practice, > but I generally just try to expell them as quickly as possible and then > make sure they can't get back in as best I can.
It's definitely dependent on the situation. If you've reason to believe the compromise may lead to data loss, data leak, or further compromises I would definitely say get the hacker out ASAP. Though I would be more prone to simply yanking the network cable if its feasible. Ideally you would always have a chance to study the suspicious connection, remove the machine from production, study the compromise, back up the data, reinstall, and only put it back into production when you're comfortable that the machine is secure. But I definitely understand that this isn't necessarily possible in the real world, where a server going offline would cause an interuption of service. :) > Personally, I just keep multiple precompiled kernels, with their > corresponding System.map files lying around. On our network we have 3 > different SCSI cards and two different NICs. I keep 3 kernels (one for > each SCSI card with two NIC drivers enabled). And of course, that's no > substitute for having an up to date box. We have the luxury of having a > security guy here (well he just came on board), whose primary task is just > making sure we're secure (not other sys admin maintenance/install duties). Yeah, it's not that huge an issue building a few different kernels. But all in all I find my time is better spent at things other than building and packages multiple kernels, tracking what machines get which, and trying to massage our roll out system to handle multiple variants of the same version of the same package. We're just reaching the end of migrating every Intel machine to the exact same platform, exact same base package list, same exact additional packages based on machine class (e.g. smtp server, web server), etc, etc. And to be honest, I like that I can update all of them from the same packages without having to worry about whether this one gets version A of the package, or that one gets version B of the package. :) Matt
