Business case for switching to Linux

Fraser Campbell fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Tue Apr 11 02:11:39 UTC 2006


John Van Ostrand wrote:

>>A full review would mean inspecting every single init script and config 
>>file for differences from original and inspecting every single file not 
>>owned by RPM - "rpm -Va" won't tell you that a modified 
>>/etc/sysconfig/network file is actually starting some spambot.
> 
> 
> rpm -Va will tell you that it was modified, it's up to you to check the
> file.
> 
> A quick reboot and a clean rpm -Va followed by a ps, netstat, etc will
> ensure that you've caught everything.

And a:

for fs in /all /file /systems; do
   find $fs -exec rpm -qf '{}' \; | grep 'not owned'
done

Verify that all the suspect files not belonging to RPMs are ok.

All this from a rescue system of course since no utility (find, ps, 
netstat) can be trusted on the hacked system.


>>Every single user's files should be suspect as well - you wouldn't want a 
>>user's .bashrc/.profile/.cshrc/.??? reinstalling a rootkit on you.
> 
> How would a re-install help unless you intend to replace, restore or
> delete those files? If your going to do that why not on a "fixed" system
> then too?

It has to be done on the fixed system as well. Every shortcut introduces a 
little more risk, on some systems such stringent checking would be hugely 
time consuming of course.


>>A hacked system might be fixable but I stick by opinion that it's both 
>>easier and better to reinstall in many cases no matter how much you know.
> 
> It really depends on the system and the administrator. A re-install of a
> complex system that would take days to reconfigure may be more of a
> business hit than the hour to fix it.
>
> If it's just a web server then a re-install could work, as long as you
> can restore the application data fast enough.

Local accounts vs not, local state vs not would factor in the decision. 
The risk profile of a system might force reinstall or file-by-file checks 
no matter what the business hit and pain.

One would hope that there's a good DR plan covering how to rebuild the 
server ;-)

-- 
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list