Box Cracked ( Was: thank's )

[Dave Burns]

> A good thing would be to (for each distro) somehow document what is normal on a default installation (if such exists).

There's really no such thing as a default install. Every response you
make when you install makes your install different from someone
else's, even if you take the defaults as much as possible.

What you seem to want might be satisfied by running aide or tripwire
after an install but before you ever plugged in your ethernet cable or
allowed wireless to connect. This would work better if you already had
all your update rpms downloaded and available locally, since if you
use the net to update the install your system will no longer look much
like the baseline you established. But these only track files, not
open ports, running processes, etc. And if the intruder knows where
you're looking, they can put their stuff somewhere else.

I've been dabbling with tripwire and aide, running yum update always
makes life difficult. Update gnome or something else big and tripwire
will report every file that changed. That's what we asked for, but it
is info overload for sure. And tripwire is kind of a headache to learn
and set up.

>there're quite a lot rootkits that look for the those anti-rootkits,
and if they found
>them the I'd patch then in order to do not show themselves in the results.

Any security measure has its countermeasure. That doesn't mean they're useless.

suerta,

Dave