On 10/21/07, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote: > On Sunday 21 October 2007 22:38:52 Dave Burns wrote: > > > > You can trust the results if you reboot your system from a CD, > > >From my experience, rebooting a hacked system is not a pretty good idea, Exactly. So there are three contexts in which you are using the tools: 1) Not sure you've been hacked, just suspicious or vigilant. 2) Sure you've been hacked, have not yet rebooted, looking for information. 3) Sure you've been hacked, rebooted using a CD (e.g. knoppix) or other known-good /. In situation 1 and 2, you can't totally trust your tools, unless they're giving you bad news. In situation 3 your can trust the tools as much as you can trust the "known-good /" where they are located. So you're never totally sure you're in the clear. I guess the truly paranoid might boot from a CD and do an audit periodically, I guess that might make me feel pretty confident. Hard to automate it (and may open up new vulnerabilities), no one wants it happening during ordinary working hours, and I don't want to be doing it by hand outside ordinary hours. Yuck. >To evalue my general system security I use babel Is that comparable to nagios, or more security oriented? gracias, Dave
