at some point must update redhat kernel to prevent
remote users from crashing machine!
something convenient for exam-anxious students

/usr/share/config/kcmlocalerc saved as /usr/share/config/kcmlocalerc.rpmsave 
/etc/X11/xdm/Xsetup_0 saved as /etc/X11/xdm/Xsetup_0.rpmsave
up to date patches



/etc/hosts.allow
/etc/hosts.deny

nmap
iptraf
tcpdump
ntop

http://ncb.intnet.mu/security/news03.htm

* tripwire like md5sum on any subdirectory recursively
  without following softlinks

logs
/var/lib/rpm/


World-writable files, particularly system files, can be a security
     hole if a cracker gains access to your system and modifies them.
     Additionally, world-writable directories are dangerous, since they
     allow a cracker to add or delete files as he wishes.  To locate all
     world-writable files on your system, use the following command:



                       root# find / -perm -2 ! -type l -ls




9.3.  Backup Your RPM or Debian File Database

  In the event of an intrusion, you can use your RPM database like you
  would use tripwire, but only if you can be sure it too hasn't been
  modified.  You should copy the RPM database to a floppy, and keep this
  copy off-line at all times. The Debian distribution likely has
  something similar.

  The files /var/lib/rpm/fileindex.rpm and /var/lib/rpm/packages.rpm
  most likely won't fit on a single floppy.  But if Compressed, each
  should fit on a seperate floppy.

  Now, when your system is compromised, you can use the command:



                               root#  rpm -Va




  to verify each file on the system.  See the rpm man page, as there are
  a few other options that can be included to make it less verbose.
  Keep in mind you must also be sure your RPM binary has not been com­
  promised.

  This means that every time a new RPM is added to the system, the RPM
  database will need to be rearchived.  You will have to decide the
  advantages versus drawbacks.




Internal integrity system

duplicate static logs
like packages.rpm etc that should never change



what to do in case of a security breach
send e-mail to korte@lite.msu.edu for now
maybe help@lite.msu.edu?

display warning message to all instructors
with limited information about nature
of security breach