IT Baseline Protection Manual S 6.31 Procedural patterns following a loss of system integrity
S 6.31 Procedural patterns following a loss of system integrity
Initiation responsibility: Head of IT Section, IT Security management
Implementation responsibility: Administrator, IT users
In case of unaccountable behaviour of a Unix system (for instance, undefined system behaviour, untraceable data, modified file contents, continuous reduction of storage space although no data have been saved), a loss of integrity may have occurred due to misuse of the system (e.g. unauthorised administrators, modified system settings, or introduction of a Trojan Horse or a virus).
Users should observe the following procedure in this case:
Keep calm.
Notify the administrator.
Exit the current programs.
The administrator must take the following steps:
Shut-down of the system.
Start-up of the system so that it can be accessed only from the console (e.g. single-user mode).
Checking the executable files for visible modifications, e.g. creation date and file size (as these can be reset to their original values, the integrity of the files should be checked with checksum systems, such as tripwire).
Deletion of the executable files and play-back of the original files from write-protected data media (cf. S 6.21 Backup copy of the software used). (Programs from data backups must not be replayed).
Checking the attributes of all user directories and files, e.g. with the tripwire checksum procedure, and possibly resetting to minimum settings (only rights for the owner, no root files in user domains).
Checking and possible unsetting of the attributes of all system directories and files.
Request users to check their domains for irregularities.
If any problems arise, you can use the BSI hotline, tel. ++49+228/9582-444 or E-mail cert@bsi.de.
If data have been deleted or been subject to undesired modifications, such data can be restored from the data backups.
Additional controls:
Are the users regularly advised of the requirement to inform the administrator at once in case of irregularities?
Are these measures also implemented?
Are there administrators with the pertinent know-how?