![]() | ![]() |
Use a checklist.
Safeguard the system logs.
While you're installing the operating system, install as little as you can get away with. It's much easier to avoid installing items than it is to delete them completely later on. For that matter, once your operating system is minimally functional, it's not hard to add components if you discover you need them. Don't install any optional subsystems unless you know you will need them.
If you are reusing a machine that has already had an operating system installed on it, be sure to erase all data from the disks before doing the reinstall. Otherwise, you cannot guarantee that all traces of the old system are gone.
In addition, be sure to get from the Computer Emergency Response Team Coordination Center (CERT-CC) any advisories relevant to your platform, and work through them. (For information on how to contact CERT-CC and retrieve its information, see the list of resources in Appendix A, "Resources".)
any operating systems have both recommended and optional patches or have periodic patch sets (called service packs for Windows NT) with individual patches issued in between (Microsoft calls these hot fixes). You should install the current recommended patch set, plus all other security-related patches that are relevant to your installation.
The solution to these seemingly contradictory requirements is to keep two copies of the system logs -- one for convenience, the other for catastrophes. The details of the logging services are operating-system dependent and are discussed in the chapters on individual operating systems.
These logs need to be kept separate from the bastion host and kept for a long time. Sometimes you will discover an intruder a long time after the original compromise (among other things, it's not unusual for an intruder to break into a bunch of machines and install back doors for later use; a compromised machine may be left alone for months).
If you have a write-once device available to you, use that device; doing so is probably the technically easiest way to keep the logs, especially if your write-once device can emulate a filesystem. Be sure you can trust the write-once feature. Some magneto-optical drives are capable of both multiple-write and write-once operations and keep track of the mode they're in via software. If the system is compromised, it may be possible to overwrite or damage previously written parts of the supposedly write-once media.
The other methods available to you will differ depending on the operating system you are using and are discussed in Chapter 11, "Unix and Linux Bastion Hosts", and Chapter 12, "Windows NT and Windows 2000 Bastion Hosts ".
What you would like to do is to log everything except events that are frequent and nonthreatening. Don't try to limit your logging to dangerous or interesting events because it's hard to successfully predict which those are going to be. Instead, log everything you can stand, eliminating only the known clutter.
For instance, Windows NT provides the ability to log all accesses to files. You don't want to turn this on for all files on a bastion host; you'll drown in routine accesses to files that are accessed as it provides services. On the other hand, you probably do want to log all accesses to system files that aren't accessed by the services. These files shouldn't be touched often, and the nuisance caused by the log entries when you do maintenance work will be compensated for by the number of attacks you can detect.