Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
781782783784785786787788789790
Administering a System: Managing System Security
Guidelines for Running a Secure System
Chapter 8 781
3. Mount all file systems, using mount -a.
Until their integrity has been verified, set restrictive directory
permissions (drwx------) to prevent users from accessing the
questionable files. This is a short-term solution only.
4. Compare file size from the previously backed-up system to the
current one. Examine the dates that files were last written, check
sums, byte count, inodes, and ownership. Suspect any files whose
sizes differ unexpectedly. Remember, however, that some system
files, especially network files, might have been customized, and
therefore differ from the default system software.
5. Copy contaminated files to tape to save as evidence.
6. Under some circumstances, you might not be able to reboot, or you
might not trust the reboot program (/sbin/init) itself. If so, you
must reinstall your system.
7. If you are uncertain of the scope of damage, we recommend that you
reinstall HP-UX from the distribution source media. You might also
need to reinstall other software applications on your system.
8. After reinstalling, you must decide if you have corrupted any user
files, or other files not reinstalled from tape.
9. Mount users’ home directories and run the find and ncheck
commands to uncover any additional compromised files.
10. If the breach was an unauthorized access of your machine, under
most circumstances, the point of entry will be apparent. Disable
those accounts, replacing the password entries with an asterisk. The
root user then has to change the password by hand.
In any case, it is recommended that you check all accounts on the
system.
11. Inform all system users of a security breach and ask them to check
their accounts for anything unusual. Instruct users to run ls -lt to
look for unexpected changes to files, such as time of last modification
for file creation or mode change, which might suggest tampering.
12. Analyze evidence to determine how the breach occurred and what
can be done to prevent recurrences.