Security Basics mailing list archives

RE: redhat audit

From: "Klotz, Brian" <Brian_Klotz () heald edu>
Date: Mon, 16 Jun 2003 20:43:49 -0700


Matthew,

If you do not have something like Tripwire running, then you cannot trust
anything on the box whether its date has changed or not.  You could do a
check like the one you suggest with the -atime flag to the find command (to
show the files access times), but a skilled attacker would not leave such
obvious tracks and would set the access time to something in the past (even
the original setting).

I suggest backing up your logs to a CD or another box, then doing a
reinstall from trusted media and installing Tripwire to watch for further
nefarious activities.

Or something like that...

Brian Klotz, CCNA
Instructor
Heald College, Portland Campus
Brian_Klotz () heald edu
503.229.0492


-----Original Message-----
From: Matthew Sallee [mailto:iammatt () holly colostate edu] 
Sent: Monday, June 16, 2003 2:01 PM
To: security-basics
Subject: redhat audit

recently my redhat box was compromised and i'm auditing changes that were
made 
(i didn't notice for several days).

i've been trying to create a command that will allow me view all the files 
modified in the last x number of days.

i've tried piping ls to grep with minimal success. any help is greatly 
appreciated...

matt



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------



This communication may contain Heald College confidential and proprietary data.
Any questions should be directed to a Heald College IT administrator.

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Re: redhat audit, (continued)
- Re: redhat audit exon (Jun 17)
- Re: redhat audit Douglas K. Fischer (Jun 17)
- Re: redhat audit Ulrich Keil (Jun 17)
- Re: redhat audit Luigi R. F. McMinn (Jun 17)
- Re: redhat audit Jan De Luyck (Jun 17)
  - Re: redhat audit Pierre BETOUIN (Jun 17)
- Re: redhat audit Mark Ng (Jun 17)
- Re: redhat audit Volker Kindermann (Jun 17)
- RE: redhat audit Duane Beck (Jun 17)
- Re: redhat audit Tace (Jun 17)
- RE: redhat audit Klotz, Brian (Jun 17)
- Re: redhat audit Andrew Pretzl (Jun 17)
- RE: redhat audit Trevor Cushen (Jun 19)