Restoring And Recovering Resources - Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual

Hide thumbs Also See for ENTERPRISE LINUX 3 - SECURITY GUIDE:

Manual (410 pages)

System administration manual (348 pages)

Reference manual (324 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

page of 136

/ 136
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 10. Incident Response

Command

file

find

stat

md5sum

Table 10-1. File Auditing Tools

10.5. Restoring and Recovering Resources

While an incident response is in progress, the CERT team should be both investigating and working

toward data and system recovery. Unfortunately, it is the nature of the breach which dictates the course

of recovery. Having backups or ofﬂine, redundant systems during this time is invaluable.

To recover systems, the response team must bring any downed systems or applications back online,

such as authentication servers, database servers, and any other production resources.

Having production backup hardware ready for use is highly recommended, such as extra hard drives,

hot-spare servers, and the like. Ready-made systems should have all production software loaded and

ready for immediate use. Only the most recent and pertinent data needs to be imported. This ready-

made system should be kept isolated from the rest of the network. If a compromise occurs and the

backup system is a part of the network, then the purpose of having a backup system is defeated.

Function

Determines the characteristics of

ﬁles based on format, encoding,

linked- libraries (if any), and ﬁle

type (binary, text, and more). It is

useful for determining whether an

executable such as

/bin/ls

been modiﬁed using static libraries,

which is a sure sign that the

executable has been replaced with

one installed by a malicious user.

Searches directories for particular

ﬁles. It is a useful tool for searching

the directory structure by keyword,

date and time of access, permissions,

and more. It can also be useful for

administrators that perform general

system audits of particular

directories or ﬁles.

Displays various information about a

ﬁle, including time last accessed,

permissions, UID and GID bit

settings, and more. Useful for

checking when a breached system

executable was last used or

modiﬁed.

Calculates the 128-bit checksum

using the md5 hash algorithm. Use

this command to create a text ﬁle

that lists all crucial executables that

are often modiﬁed or replaced in a

security compromise. Redirect the

sums to a ﬁle to create a simple

database of checksums and then

copy the ﬁle onto a read-only

medium such as CD-ROM.

Example

file /bin/ls

has

find -atime +12 -name *log*

-perm u+rw

stat /bin/netstat

md5sum /usr/bin/gdm

>>md5sum.txt

Table of Contents

Need help?

Do you have a question about the ENTERPRISE LINUX 3 - SECURITY GUIDE and is the answer not in the manual?

Restoring And Recovering Resources - Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual

10.5. Restoring and Recovering Resources

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE

Related Content for Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE

Table of Contents