Marc Hughes wrote:
It's not my box, so I need to be sensitive of the office politics so no one says something like, "Well, since we can't secure linux, NO MORE LINUX"
h4x0rs? And I guess an even bigger concern is the office politics things. How do I bring this to the big-wigs in a "good" light?
Rather that highlight that you think the box may have been compromised (because if it has it may be too late, but since the box has been running for some time it will likely continue to run for another week or two), the best approach is likely to indicate that it is time to update the software on the box; indicate that there are updated versions of the SMTP and POP servers availabe at no cost to your company. Also mention that there are also some other tools that could be installed to improve security. Don't raise what could be a false alarm by saying that the box is completely unsafe and should be immediately pulled from the network (then all MS Windows IIS boxes should be pulled according to Gartner who has been accused of being in bed with Redmond at times). Since you have more familiarity with Linux than the current maintainer - offer to head up the effort and put together a small project plan including the transition and training of the webmaster (make your life easier later by spending the time now to train the webmaster and put together some simple easy to use documentation)(not knowing your environment that could be as simple as a todo list on a napkin to a detailed plan with impact checklists etc). Rather than highlight the security holes that you know exist - HIGHLIGHT THE IMPROVEMENTS YOU WILL BE MAKING AND THE IMPROVED SECURITY YOU WILL BE PUTTING IN PLACE. Avoid getting overly technical, use simple easy to understand arguments that highlight the benefits of your proposed improvments. Make sure that the "group" taht owns the machine feels you are helping them, and not taking over for them. You need to make sure that they still feel that they are in control. You need to remain calm and show confidence in the previous choice in using Linux and use this as an oppurtunity to show the support the open source community provides with the constant improvements that are made to open source software. Also insure that you get the webmaster checking the CERT advisories for the software exposed (another reason you need good docs with version and basic config of sendmail etc.). Another great thing is that you can show that the company will not have to outlay any cash - since the software is free. They will have the time to update the software - but think about the time to update if you were running exchange on nt? Either way that is a given. Use the opportunity to highlight the benefits of open source, not the dangers of the internet! Best of luck!