RFC1244 - Page 80

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


      scenario, a record of the original systems setup and each
      customization change should be kept current with each change to
      the system.

   6.2.3  Follow up

      Once you believe that a system has been restored to a "safe"
      state, it is still possible that holes and even traps could be
      lurking in the system.  In the follow-up stage, the system should
      be monitored for items that may have been missed during the
      cleanup stage.  It would be prudent to utilize some of the tools
      mentioned in section 3.9.8.2 (e.g., COPS) as a start.  Remember,
      these tools don't replace continual system monitoring and good
      systems administration procedures.

   6.2.4  Keep a Security Log

      As discussed in section 5.6, a security log can be most valuable
      during this phase of removing vulnerabilities.  There are two
      considerations here; the first is to keep logs of the procedures
      that have been used to make the system secure again.  This should
      include command procedures (e.g., shell scripts) that can be run
      on a periodic basis to recheck the security.  Second, keep logs of
      important system events.  These can be referenced when trying to
      determine the extent of the damage of a given incident.

6.3  Capturing Lessons Learned

   6.3.1  Understand the Lesson

      After an incident, it is prudent to write a report describing the
      incident, method of discovery, correction procedure, monitoring
      procedure, and a summary of lesson learned.  This will aid in the
      clear understanding of the problem.  Remember, it is difficult to
      learn from an incident if you don't understand the source.

   6.3.2  Resources

      6.3.2.1  Other Security Devices, Methods

         Security is a dynamic, not static process.  Sites are dependent
         on the nature of security available at each site, and the array
         of devices and methods that will help promote security.
         Keeping up with the security area of the computer industry and
         their methods will assure a security manager of taking
         advantage of the latest technology.





Site Security Policy Handbook Working Group                    [Page 80]