Re: Cracked; rootkit - entrapment question?

[lamont () ICOPYRIGHT COM (Granquist, Lamont)]

On Thu, 2 Mar 2000, Craig H. Rowland wrote:
> If you are facing a serious compromise situation where an attacker has
> gained full internal access, and you want to contain and analyze the
> damage, you may wish to deploy a honey pot. For most cases though I think
> running a honey pot on your external border is not a good idea.

I've pretty much shared your opinion about honey pots, but one idea I've
been toying with recently is deploying "canary" systems internally so that
if someone smarter than me does get through the perimeter, if they hit the
canary system it'll alert me.  I'd probably use just a default redhat 6.0
install (got enough root holes there to make it east), call it something
tempting like "cybercash" and then modify sh/bash and csh/tcsh to e-mail a
warning anytime they are run (and turn off cron jobs to eliminate the
false positives).

Comments, thoughts, suggestions?