Introduction to Forensics - A Report from Southwest Drupal Summit
What do you do once you realize one of your servers has been compromised? I recently had the opportunity to hear Linux Journal's own Kyle Rankin give a very impressive talk covering this situation at the Southwest Drupal Summit in Houston, Texas.
The actions you choose to take are very important and should be prepared before the fateful event. Most people will spend time on the server trying to figure out how the intruder gained access to the machine, and what they have been doing. Not only is this problematic in that the intruder has more time to do his damage, but the longer the server is up, the more likely critical forensic data will be lost.
Kyle argued that the best first step is to immediately pull the plug on the box. Do not diagnose the situation and do not shut the machine down gracefully. We use journaling file systems for a reason and the machine will probably be rebuilt from scratch, so the danger of corrupted data from killing the power is small. Once the machine is off, you should image the compromised drive with something like 'dd' and make a copy of the image to do your work on to protect you from accidentally contaminating the evidence.
The issue with poking around on the live system is that you will destroy any information you could have learned from the meta data stored on every file on the computer. Linux uses MAC times to record when certain events occurred most recently. The events that change MAC times on a file are “modification” (the data in the file was modified), “access” (some part of the file was read or executed), and “metadata change” (the file's permissions or ownership were changed). By pulling power from the server at the earliest possible moment, you decrease the likelihood that MAC times recorded by the intruder's action will have been updated by another user.
Kyle then did a live demo on a compromised image showing how to use The Sleuth Kit and Autopsy Browser to perform the investigation. These tools can be used to view log files, recover deleted files, and to order the files on the file system by MAC times. With this information, he was able to paint an interesting picture of not only how an intruder gained access to one of his machines, but what they did once they once they had access.
Kyle is a great public speaker and I highly recommend seeing him if you get the chance. His slides for the Southwest Drupal Summit presentation are available online as is his Linux Journal article Introduction to Forensics where he goes into great detail on how to use these tools.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Google's SwiftShader Released
- Linux In Government: Interoperability
- Linux in Government: Winning in the Big Enterprise Space
- Linux in Government: Open Source Innovation within the DoD
- Linux in Government: An Interview with John Weathersby of OSSI
- Linux in Government: GNU/Linux Clears Procurement Hurdles
- Convert Filenames to Lowercase
- Tech Tip: Really Simple HTTP Server with Python
- Getting Started with Salt Stack-the Other Configuration Management System Built with Python
- Concerning Containers' Connections: on Docker Networking