[svlug] worms -n stuffy - backups

Dagmar d'Surreal dagmar at dsurreal.org
Thu Jun 7 21:57:01 PDT 2001


On Thu, 7 Jun 2001, Alvin Oga wrote:

> you might not know when the "intrusion" occurred ...
> 
> install xx  today... wiat a day, a month....apply xx  ....
> go back a month/two later and now you have a box under your control
> undetected ...cause they have nto found it in 2 months ???

Mebbe it'll be clearer this time around...  Part of the reason I make my
backups right after the initial install and config is to _avoid_ the
possibilty that I might be backing up compromised binaries.  I tend to
avoid the "whole filesystem" technique (grandfathering or not) for this
very reason.  

> > Keeping a careful eye on what one backs up as opposed to what files merely
> > have newer mtimes than the last backup gives one a good opportunity to
> > verify those integrity checksums as well.  ;)
> 
> eyes are doomed to fail... guaranteed ..!!!!

It was a figure of speech referring to paying close attention to how my
backups are made, rather than just trying to blindly backup / and keep
track of incremental changes.

> besides ... looking at backup logs an tripwire logs are *really* boring....
> and nobody can do that task for you .... *you* are the only one that is
> gonna care  about the accuracy of the logs adn accuracy of the changes
> made to the system  ( daily, weekely, monthly) ....

Yup, and aside from software upgrades, binaries don't often change at
all.  With a little extra time spent at the outset, binary packages are a
lot easier to manage than user data.

Now if we're done with jumping to conclusions and making bling assumptions
for awhile...





More information about the svlug mailing list