Securing IT

Httpd was running file sharing turned on without authentication? [1] Now thats a security breach if ever. Not sure about the rest, 'chkrootkit' and 'rkhunnter' are apparently unreliable on Linux systems, so there's no way of determining the system is hosed. Apart from that, its impossible to protect against an exploit in Mozilla, since that would go unnoticed. I.e., a Javascript/plugin exploit is a 'runtime' exploit, no files are changed on the system, and forensics can only be done on a complete memory dump.
Jailing Mozilla in a separate account would be a partial answer.

There is no way to determine if the system is broken, except for the fact that I don't like the number of outbound connections made, and some behavior of the machine doesn't seem okay. I sometimes play around designing my own server park for a small company, so far, it would boil down to:
  • A server with the OS with a HD with a big red button which says: 'READ-ONLY.'
  • A file server.
  • Company work machines, light clients.
  • A firewall, blocking everything except for X11/VNC.
  • A secured server for Mozilla, only to be used for that application.
  • A separate mail/webserver which handles mails through a http client.
  • A firewall which protects most ports, probably even blocks outbound https.
  • Windows machines.
  • A logger which spies on traffic going in and out.
I guess it boils down to rings of trust where applications which interact with the outside world should run in a separate outer 'hardware' ring. And the change is, that now includes Mozilla.

[1] Webdav, file sharing for the masses. Yeah right, have javascript connect to the local webdav port on a machine?

Doesn't solve the USB stick, or the sysadmin, problem. A substantial number of your average medium-company-sized under-payed sysadmin is a black-hat by nature, driven by 'Oh! You think your system is secure? Alright then.." and most of em can be found on freenet anyway, or some illegal IRC, exchanging whatever company info they feel like. But, it stops somewhere.