On 10/17/07, Les Mikesell <lesmikesell@xxxxxxxxx> wrote: > Jacques B. wrote: > > > > You can't honestly suggest that there should be a tool that can check > > your entire system for any evidence of intrusion and fix it? > > Well yes... Since there isn't a handier one, I usually do it by > restoring a backup from a time when I trusted the machine into a > subdirectory of some other machine, then running rsync -avn against the > live one to see what has changed. > > -- > Les Mikesell > lesmikesell@xxxxxxxxx > I had a look at rsync and it is a very handy tool no doubt. I had some idea what it was about but had never played with it. Further to my previous posting on md5deep, I had a momentary brain hiccup. You don't need a full backup to compare with. Rather you generate a file containing all the hashes of your trusted system. You could later on run md5deep in check mode using the hash file you generated and md5deep would report back which files do not match anymore. Of course you'd have to restore that file from a backup or re-install from a trusted online repository. The advantage of this for a home user is that it doesn't require a full backup of your system (hence doesn't require all that disk space). md5deep much like md5sum simply generates a checksum file. So that is the extent of your additional footprint on your system for using such a system. It's actually pretty much how Tripwire and such tools work. Having said all that when you get right down to it all a home user needs to do to be safe is keep the system updated, exercise good judgement (vis-a-vis email attachments, downloading from untrusted sources, phishing attacks), use very good passwords, and put in a cheap home router/gateway (of course dial-up not applicable for home router). With that and the fact that they are running Linux does an excellent job of keeping them safe in their single user environment. Even a home user that runs a web server with a static site, or has ssh enabled but not for root will be pretty safe if they follow the above. SELinux is an additional layer of security that certainly can't hurt. But it's not necessary. And if implemented without the necessary skills to do it properly then it can provide a false sense of security, perhaps even introduce a vulnerability into the system (at minimum it can cause headaches as we've seen). In a corporate environment it's obviously very different. Using different means of access control, using other layers of security such as SELinux, implementing physical security measures, are all things that need to be done, and properly. My advice to home users...if you want to put the time in to learn SELinux and properly troubleshoot issues arising from it then kudos to you. If you're the type who just wants things to work and don't want to be bothered with becoming a security guru then stay away from such additional layers that require an above average level of technical and security aptitudes. If you are doing the simple things I mentioned previously then you are ahead of the curve and are pretty safe. I read somewhere online a while back where they hooked up various unpatched Windows systems (different generations of it) and unpatched Linux systems (don't remember the distros) to the web totally unprotected. The various Windows versions were all compromised within minutes to hours. None of the Linux ones were. However when all the updates were applied to these boxes none of them were compromised (no Windows boxes and no Linux boxes). Now throw in an end user into the mix (I am not suggesting anybody here, I am using this in a very generic way), especially one that does not exercise basic security and who's common sense is not quite up to par and that changes things. The moral of the story supports my suggestion earlier - very basic security and common sense will properly protect the average user. Jacques B.