Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You're both right of course. I'd like to think there's also knowledge involved (or lack thereof: especially with those that don't even know know GNU/Linux except for the web-based panels they "administer" machines from) but of course even knowledge (the right way) doesn't prohibit people from making bad decisions anyway, especially where things boil down to simple economics...
OK, so except for money, trends, referrals and contracts (both good points!) there should also be ways to check for security practically, right? Web stack checklists, specific diagnostic tools, et cetera?
DISA's STIGs totally slipped my mind! Thanks for the reminder!
There are also quite a few non-govt-related write-ups similar to DISA's STIGs.
I worked for one government organization that was trying to apply STIGs as policy. While this is usually a good practice, this particular organization was doing several things that were a bit extreme:
1. Installing AV on Linux hosts that were dedicated NIDS.
2. Installing iptables on Linux hosts that were dedicated NIDS.
I disagree with doing the above. Those particular IDSs were dropping packets BEFORE AV was installed. They were dealing with extreme amounts of traffic and had a pretty decent signature base. Adding AV to this mix is a recipe for disaster, as both IDS software and AV usually has high levels of overhead. The systems were also pretty deep into the network. IMO, using iptables was like using a sledgehammer when a regular hammer was the better tool.
What ticked me off about all of this was the organization's blind acceptance of a guideline. IDSs should always be bastion hosts. Sometimes, exceptions to guidelines and policy needs to be made.
They also had DNS services running on one particular platform of IDS, which kept crashing the server because of the high stress of sniffing and resolving addresses.
I think it is important to not overload certain systems. The STIGs are pretty good but organizations that have the need to follow STIGs should know that these are only recommendations. Seeing smart people do dumb things makes me not want to work for them (yeah, it wasn't long after that that I left).
Last edited by unixfool; 11-29-2009 at 06:47 PM.
Reason: slight edit
Monitoring computer systems for evidence of malicious activity, and reacting to such activity when it's detected. With coverage of Windows and Unix systems as well as non-platform-specific resources like Web services and routers, the book covers the fundamentals of incident response, processes for gathering evidence of an attack, and tools for making forensic work easier.
Monitoring computer systems for evidence of malicious activity, and reacting to such activity when it's detected. With coverage of Windows and Unix systems as well as non-platform-specific resources like Web services and routers, the book covers the fundamentals of incident response, processes for gathering evidence of an attack, and tools for making forensic work easier.
Looks like a good book, its from 2003 though, so I'm sure there have been a lot of changes since then.
Looks like a good book, its from 2003 though, so I'm sure there have been a lot of changes since then.
The tools used to attack have changed, but how you respond to an attack hasn't. This book isn't about how to protect yourself against the latest threats, it assumes that you will be attacked and that the attacker will succeed. This book covers what to do BEFORE that attack, what do do when you detect the attack, how to gather information about the attack, how to recover from an attack, and how to document the attack and your response for possible use by the courts, and so you know that you've succeeded in removing any back doors or malware left behind by the attacker.
The tools used to attack have changed, but how you respond to an attack hasn't. This book isn't about how to protect yourself against the latest threats, it assumes that you will be attacked and that the attacker will succeed. This book covers what to do BEFORE that attack, what do do when you detect the attack, how to gather information about the attack, how to recover from an attack, and how to document the attack and your response for possible use by the courts, and so you know that you've succeeded in removing any back doors or malware left behind by the attacker.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.