On Thu, 2004-01-22 at 00:12, Paul Jakma wrote:
>> Great theory, but $user can just run foo2.
>correct
> (and even if you did modify ypcat, $user can go get a ypcat from some
> other system or net. or if you have machines you dont directly
> control, you either must prevent them from talking to your NIS
> server or just accept they have your nis maps.)
correct
Okay so what do you do?
My suggestions are based on the idea that you do not know if the machine
has been broken into or not.
This should have a policy and a procedure all documented that should
have activated upon suspicion.
Make a plan that involves at the very least:
Taking the machines offline, image the disk(s) for forensics keep the
originals and get on with your life.
Build new boxes patch them and restore them, inform all users that they
need new passwords, set up to log everything you can and read all you
log.
Reopen the accounts on a verified basis, all the stuff that is not
mentioned here but documented on the net that is good stuff.
do forensics
IANAL and if this does not agree with your laws don't do it...
Paul
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
