Business case for switching to Linux
Fraser Campbell
fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Tue Apr 11 02:11:39 UTC 2006
John Van Ostrand wrote:
>>A full review would mean inspecting every single init script and config
>>file for differences from original and inspecting every single file not
>>owned by RPM - "rpm -Va" won't tell you that a modified
>>/etc/sysconfig/network file is actually starting some spambot.
>
>
> rpm -Va will tell you that it was modified, it's up to you to check the
> file.
>
> A quick reboot and a clean rpm -Va followed by a ps, netstat, etc will
> ensure that you've caught everything.
And a:
for fs in /all /file /systems; do
find $fs -exec rpm -qf '{}' \; | grep 'not owned'
done
Verify that all the suspect files not belonging to RPMs are ok.
All this from a rescue system of course since no utility (find, ps,
netstat) can be trusted on the hacked system.
>>Every single user's files should be suspect as well - you wouldn't want a
>>user's .bashrc/.profile/.cshrc/.??? reinstalling a rootkit on you.
>
> How would a re-install help unless you intend to replace, restore or
> delete those files? If your going to do that why not on a "fixed" system
> then too?
It has to be done on the fixed system as well. Every shortcut introduces a
little more risk, on some systems such stringent checking would be hugely
time consuming of course.
>>A hacked system might be fixable but I stick by opinion that it's both
>>easier and better to reinstall in many cases no matter how much you know.
>
> It really depends on the system and the administrator. A re-install of a
> complex system that would take days to reconfigure may be more of a
> business hit than the hour to fix it.
>
> If it's just a web server then a re-install could work, as long as you
> can restore the application data fast enough.
Local accounts vs not, local state vs not would factor in the decision.
The risk profile of a system might force reinstall or file-by-file checks
no matter what the business hit and pain.
One would hope that there's a good DR plan covering how to rebuild the
server ;-)
--
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list