Wednesday, February 29, 2012

Security Incident Response


UNIX System

Purpose:

This document is to serve as a “guide” for SIRT personnel when encountering a possible compromised Unix/Linux system and in no way serves as an absolute requirement to perform every tasked listed within. The SIRT personnel shall apply best effort to acquire as much information within a minimal amount of time in order identify, contain and eradicate any security threat to minimize it’s affects to the organization.

Identification Phase:

Note: Depending on the OS distribution, version and configuration, some item may be located in different areas or not present on the host.

Vital Data to Collect

Run “script {hostname}.txt
Run “date >> systeminfo.txt
Run “w >> systeminfo.txt
Run “last >> systeminfo.txt
Run “lastlog >> systeminfo.txt
Run “uname –a >> systeminfo.txt
Run “ls / –alRu > atime.txt
Run “ls / –alRc > ctime.txt
Run “ls / –alR > mtime.txt
Run “ps –aux > process.txt” (Solaris “ps –eaf > process.txt”)
Run “netstat –an > netstat.txt
Run “netstat –anp > netstatp.txt” (Solaris “lsof –i > netstatp.txt”)

Area to look for compromise

The below section is a list of area that you may want to look at for indication of compromise. This list is not all inclusive and depending on the host some of the below items may or may not be present on the host or in the location indicated.
Is a sniffer installed? Check to see if the network card is in promiscuous mode
    • Ifconfig –a (root access)
System Logs (/var/adm or /var/log)
    • /var/log/httpd/access_log check web logs access to webserver
    • syslog look for anomalies in the file
    • xferlog ftp transfer log
    • messages look for anomalies in the file

System Configuration
    • /etc/passwd to look for unauthorized users accounts or privileges
    • /etc/shadow to ensure every account requires password authentication (root access)
    • /etc/groups to look for escalation in privileges and scope of access
    • /etc/hosts to list the local DNS entries
    • /etc/hosts.allow and /etc/hosts.deny to check TCP Wrapper rules
    • /etc/crontab
    • /etc/inetd.conf and xinetd.conf to list the services initiated by the config files

Final Steps

Stop “script” command by using control-D
Run “md5sum * > md5sum.txt” on all files collected

Explanation of the collection of data.


When performing an analysis of a live Unix system for signs of Compromise, all efforts should be made to collect as much vital data that is feasible. Vital data is that data that would be lost if the system was to be powered off i.e. current processes running on the system, network connections, who currently logged on the system etc.
Command: script {hostname}.txt
Records the active terminal session activity to a file with the name of the host. Can later be printed with the lpr command. To exit from script command press the control-D, exit or logout from terminal shell.
Command: date >> systeminfo.txt
Documenting the date and time of the system is critical. It provides the Incident Respondent a time reference to gage and compare activity discovered on the system.
Command w >> systeminfo.txt
Identifies who is currently logged on the system by displaying the user IDs of the logged on users, what system they logged on from and what they are currently executing on the system.
Command last >> systeminfo.txt
Searches back through the binary file /var/log/wtmp and saves a list of all users logged in (and out) of the host since the file was created to the systeminfo.txt file.
Command lastlog >> systeminfo.txt
Formats and prints content of the binary last login log /var/log/lastlog file to the systeminfo.txt file.
Command uname –a >> systeminfo.txt
Saves system information i.e. kernel-name, kernel-version, operating system, version etc to systeminfo.txt file.
Command ls / –altRu > atime.txt
List “access times” about the files in the “/” (root) directory and below. Saves the results to the “atime.txt” file.

Command ls -altRc > ctime.txt
List “change times” about the files in the “/” (root) directory and below. Saves the results to the “ctime.txt” file.

Command ls / –altR > mtime.txt
List “modification times” about the files in the “/” directory and below. Saves the results to the “mtime.txt” file.

Command netstat –an > netstat.txt
Enumerates the open ports on the system and writes the results in the netstat.txt file
Command netstat –anp > netstatp.txt
Enumerates the open ports of the system along with mapping the name of the application and it’s process ID (PID) to the open ports.


No comments:

Post a Comment