LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

An update on the Fedora August 2008 intrusion

An update on the Fedora August 2008 intrusion

Posted Mar 30, 2009 15:41 UTC (Mon) by qg6te2 (guest, #52587)
In reply to: An update on the Fedora August 2008 intrusion by kragil
Parent article: An update on the Fedora August 2008 intrusion

Yes, a quick response, but the detection of the intrusion can be considered as a fluke. The margin for error appears to have been too little to begin with.

2008-08-12 22:51:00 - Cron job failed, notified admins.

If the intruder had been just a little bit more careful, it is entirely possible that either the security problem would have been an order of a magnitude bigger when finally discovered (e.g. many compromised packages, with possible destructive payloads, botnet operation, etc), or to this day we would have no idea that there is something is going on.

(Log in to post comments)

An update on the Fedora August 2008 intrusion

Posted Mar 30, 2009 15:49 UTC (Mon) by spot (subscriber, #15640) [Link]

You're right, which is one of the reasons why we've since added a lot of additional security mechanisms and measures to protect and monitor our infrastructure. We've been working on using SELinux policy on all of our systems, enabling rootkit detection, and improving our monitoring policies.

An update on the Fedora August 2008 intrusion

Posted Mar 30, 2009 16:14 UTC (Mon) by kragil (guest, #34373) [Link]

That is good to hear. You cannot count on being lucky twice.

It always takes events like this to make changes .. I really hope other distros learn from your mistakeS.

Would be great if Novell, Canonical and Debian would openly disclose how their infrastructure is protected. (In detail.)

At the end of the day my system is dependent on a secure infrastructure from supplier of the binary packages.

Security by obscurity does not work .. let people openly discuss the measures taken and you will deter attackers and possibly strengthen your system by getting new ideas or by finding (obvious) flaws.

An update on the Fedora August 2008 intrusion

Posted Mar 30, 2009 19:03 UTC (Mon) by nix (subscriber, #2304) [Link]

If the intruder had simply done a better job of log sanitization, the
failed cron job would have been no clue. (Of course that may have been
hard: he apparently hadn't escalated to root on that machine, let alone
got at the loghost(s)...)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds