From secprog-return-510-jm=jmason.org@securityfocus.com  Mon Sep 23 18:31:18 2002
Return-Path: <secprog-return-510-yyyy=example.com@securityfocus.com>
Delivered-To: yyyy@localhost.example.com
Received: from localhost (jalapeno [127.0.0.1])
	by jmason.org (Postfix) with ESMTP id 747B916F03
	for <jm@localhost>; Mon, 23 Sep 2002 18:31:17 +0100 (IST)
Received: from jalapeno [127.0.0.1]
	by localhost with IMAP (fetchmail-5.9.0)
	for jm@localhost (single-drop); Mon, 23 Sep 2002 18:31:17 +0100 (IST)
Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com
    [205.206.231.26]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id
    g8NFICC22953 for <jm@jmason.org>; Mon, 23 Sep 2002 16:18:12 +0100
Received: from lists.securityfocus.com (lists.securityfocus.com
    [205.206.231.19]) by outgoing.securityfocus.com (Postfix) with QMQP id
    AAB618F4BC; Mon, 23 Sep 2002 08:21:13 -0600 (MDT)
Mailing-List: contact secprog-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <secprog.list-id.securityfocus.com>
List-Post: <mailto:secprog@securityfocus.com>
List-Help: <mailto:secprog-help@securityfocus.com>
List-Unsubscribe: <mailto:secprog-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:secprog-subscribe@securityfocus.com>
Delivered-To: mailing list secprog@securityfocus.com
Delivered-To: moderator for secprog@securityfocus.com
Received: (qmail 13967 invoked from network); 23 Sep 2002 08:06:03 -0000
Date: Fri, 20 Sep 2002 23:00:42 +0000
From: redhat <redhat@xlnt-software.com>
To: SECPROG Securityfocus <SECPROG@securityfocus.com>
Subject: Re: use of base image / delta image for automated recovery from
    attacks
Message-Id: <20020920230041.A1139@xlnt-software.com>
Mail-Followup-To: SECPROG Securityfocus <SECPROG@securityfocus.com>
References: <NAEOJLMPJMJDFPLHIOJOAEFJDBAA.bmord@icon-nicholson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <NAEOJLMPJMJDFPLHIOJOAEFJDBAA.bmord@icon-nicholson.com>
User-Agent: Mutt/1.3.21i
X-Loop: redhat@rphh.org
X-Meow: Your pets will be disembowled if you do not keep up payments.
X-Spam-Status: No, hits=-3.8 required=5.0
	tests=IN_REP_TO,KNOWN_MAILING_LIST,REFERENCES,USER_AGENT,
	      USER_AGENT_MUTT,X_LOOP
	version=2.50-cvs
X-Spam-Level: 

reply to the mail from Ben Mord (bmord@icon-nicholson.com):

> Hi,

Hello,

< ... snipped for brevity ... >

> ... This concept could also be
> applied to the application servers, and even the database server partitions
> (except for those partitions which contain the table data files, of course.)

	Although the data might just be the information that needs protecting.

> Does anyone do this already? Or is this a new concept?

	I've seen this implemented for a shell server, although they chose
to have their root on a CD-WR in a CD-R drive. Which meant that even
when compromised it was only possible to examine other users data.
	AFAIR(emember) they just swapped CD's when a root exploit was found.

> Thanks for any opinions,

NP

blaze your trail
--
redhat

'I am become Shiva, destroyer of worlds'