> ...or keep this discussion on list for those who cannot get to SLUG
> meetings.
Or both.. I'd be happy to do a presentation or a QA session on security if
anyone's interested.. and consdering that a lot of people on this list are
admins or working in IT - it'd be quite good to keep it on methodology as
opposed to specific products/tools.. this way general solaris admins or
network engineers could also benefit..?
> BTW, when you do a backup to tape, would that not alter the atime?
Note - not "backup" - a "dd" - atime only changes if you access the inode
directly - a dd will use the device (e.g. /dev/sdb1) as opposed to the
separate files on that filesystem.
dd is your friend.. I always have a statically compiled version handy when
going on-site.. don't use the dd on the compromised box if you can help
it!
And if at all possible, try not to touch the keyboard much when you get to
the scene.. take a photo beforehand if possible and maintain a log of who
comes in/out of the area where the compromised box is.
Remember - you can't prosecute unless you have perfect details which
aren't "questionable" - be surgically precise.
The only problem with atime records is when you're playing with squid etc
and a lot of people put their cache partition in /var/cache or similar and
mount /var noatime - which sucks for forensics, but will certainly make
your squid fly. ;)
(you should whack squid elsewhere btw! :)
//umar.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
