Gathering post breach information on linux

xxx_anuj_xxx · 11-12-2005, 08:06 AM

Hello friends!
After installing linux what security measures/steps one should take for gathering Post-Breach Information?
What steps one should take after a security breach?
Please also suggest some good practices(beside updates), informative sites and tools.
Thanks in advance!

hamish · 11-12-2005, 08:29 AM

I use rsync to backup my log files every evening to a different PC.

Also, set the system so taht you can only append to log files, not change/delete lines from them

I cannot remember off the top of my head how I did that.

Hamish

unSpawn · 11-12-2005, 09:34 AM

After installing linux what security measures/steps one should take for gathering Post-Breach Information?
Install file integrity checker like Aide, Samhain or even tripwire, disable services you still have to harden, set up logging, auditing and backups and start hardening host. Please check out the LQ FAQ: Security references, part 1 on hardening and part 5 on recovery.

What steps one should take after a security breach?
Isolate host from network, inform direct and adjacent users, retrieve information, restore (that is : nuke, not revive building on current situation).

Please also suggest some good practices(beside updates), informative sites and tools.
Please read SECREF first, *then* post what you propose to do, *then* ask.
Much more effective.
TIA.

I cannot remember off the top of my head how I did that.
On EXT2/EXT3 filesystems: man chattr, flag, append-only.

xxx_anuj_xxx · 11-12-2005, 10:08 AM

Thankyou unSpawn and hamish!