S 6.31 Procedural patterns following a loss of system integrity

Initiation responsibility: Information Security Management, Head of IT

Implementation responsibility: User, Administrator

In case of unaccountable behaviour of a Unix system (for instance, undefined system behaviour, untraceable data, modified file contents, continuous reduction of storage space although no data have been saved), a loss of integrity may have occurred due to misuse of the system (e.g. modified system settings, introduction of a Trojan Horse or a virus).

In this case, users should note the following points:

• Keep calm!
• Notify the administrator.
• Exit the current programs.

The administrator should take the following steps:

• Shut-down of the system.
• Start-up of the system so that it can be accessed only from the console (e.g. single-user mode).

• Generation of a complete data backup (this is, for example, useful if data or traces are destroyed during the following investigation).

• Checking the executable files for visible modifications, e.g. creation date and file size (as these can be reset to their original values, the integrity of the files should be checked with checksum systems, such as tripwire).

• Deletion of the executable files and play-back of the original files from write-protected data media (see S 6.21 Backup copy of the software used). (Programs from data backups must not be replayed).
• Checking and possibly playing-back the system directories and files and their attributes (e.g. /etc/inetd.conf, /etc/hosts.equiv, cron- and at-jobs, etc.).

• Checking the attributes of all user directories and files, e.g. with the tripwire checksum procedure, and possibly resetting to minimum settings (only rights for the owner, no root files in user domains, .rhost and .forward files, also blocked accounts).
• Checking all passwords.
• Notifying the users with a request to check their areas for any irregularities.

After all passwords have been changed they must be communicated to the affected users. Passwords or derivation schemas known to all users or should not be used. It is better to create random passwords and to send them to the users over a reliable communication path, for example using sealed envelopes. The password should be changed immediately the next time the user logs in.

If there is any indication of a deliberate attack on a Unix system, then immediate action must be taken to minimise the resulting damages and prevent any further damage from occurring. To accomplish this, it is necessary to create an alarm plan containing a list of the steps to take and that specifies who needs to be informed of the incident (see also S 6.60 Specification of reporting paths for security incidents). If necessary, the alarm plan should also contain information on if and how the Data Protection Officer and the legal department should become involved.

If any problems arise, you can use the BSI hotline, tel. +49 (0)228-9582-5222 or e-mail certbund@bsi.bund.de.

If data was deleted or undesired changes were made to it, then this data can be restored from the data backups.

Review questions:

• Do procedural patterns following a loss of system integrity exist?
• Does a suitable alarm plan to minimise damage exist?