By Aeleen Frisch
We spend time and energy securing our systems, but what do we do if we find a breach? In this unfortunate instance the solution may or may not be extreme, according to Aeleen Frisch's book Essential System Administration,
If one of the security monitoring tools you use finds a problem, there are two concerns facing you: preventing further damage and correcting whatever the current problem is. How strongly you react depends to a great extent on the security requirements of your site; everyone needs to investigate every unexpected change to the system uncovered in a security check, but how quickly it has to be done and what to do in the meantime will depend on the problem and how much of a risk you and your site are willing to assume.
For example, suppose Tripwire finds a single change on the system: the group owner of /usr/local/bin has been changed from bin to system. Assuming you've set up an appropriate configuration file and are running Tripwire nightly, you can probably change the group owner back and find out which system administrator made this silly mistake. At the other extreme, if the one change is a replacement of /ect/passwd, and you are doing only minimal security monitoring -- checking file ownerships, modes, sizes and modification dates -- you've got a much bigger problem. You can no longer really trust any file on the system because the data you have isn't good enough to determine which files have been altered. In such an extreme case, this is the right -- if extremely painful -- thing to do:
Reboot the system immediately to single-user mode, in order to attempt to get rid of any malignant users or processes (Note: There are more complex strategies for handling an intrusion-in-progress; however, they are not recommended for the uninitiated or the faint-hearted.). Disconnect the system from any unsecured network (which is pretty much any network).
Back up any files you cannot afford to lose (but be aware that they may already be tainted). Back up all log and accounting files to aid in future investigation of the problem.
You may want to keep the system down while you investigate. When you are ready to bring the system back online, reinstall the operating system from scratch (including remaking all filesystems). Restore other files manually and check them out carefully in a secure filesystem. Rebuild all executables for which you have the source code.
The severity of this cure should emphasize once again the importance of formulating and implementing an effective security monitoring process.
Related book Essential System Administration, Second Edition
Author : Aeleen Frisch
Publisher : O'Reilly & Associates
ISBN/CODE : 1565921275
Cover Type : Soft Cover
Pages : 788
Published : Sept. 1995
Essential System Administration takes an in-depth look at the fundamentals of UNIX system administration in a real-world, heterogeneous environment. The book approaches UNIX system administration from the perspective of your job -- the routine tasks and troubleshooting that make up your day. Whether you're dealing with frustrated users, convincing an uncomprehending management that you need new hardware, rebuilding the kernel, or simply adding new users, you'll find help in this book. You'll also learn about back up and restore and how to set up printers, secure your system and perform many other system administration tasks. But the book is not for full-time system administrators alone. Linux users and others who administer their own systems will benefit from its practical, hands-on approach.
This was first published in January 2001