Sysadmin Incident Response Checklist

Sysadmin Incident Response Checklist

The checklist below is intended to outline some recommended actions system administrators should perform in the event of a system compromise or malicious activity.

  1. Please contact IMSS Information Security at security@caltech.edu if you have not already performed this task.
  2. Determine the nature and seriousness of the indcident by considering the following questions and discussing them with Information Security if necessary.
    A. Does the system contain sensitive or confidential information?
    B. Is there a chance outside law enforcement may need to get involved?
    C. Is there a requirement or desire to perform a forensics analysis of the system compromise?
  3. If the answer is yes to any of the questions in item (2) then please disregard the instructions below and coordinate the actions to be taken with Information Security.
  4. If the answer is no to all the questions in item (2) then continue to item (5) on the checklist.
  5. Isolate the compromised system by disconnecting the network cable. If this is not feasible or desireable, Information Security can block access to the compromised system via the network.
  6. Try to determine the cause of the malicious activity and the level of system privilege attained by the miscreants.
  7. Disable any hacked accounts and kill all processes owned by them.
  8. Compile a list of IP addresses involved in the incident, please include log entries if possible, and forward the data to Information Security.
  9. Determine the user(s) that need to change their passwords due to the compromise as well as whether or not they have accounts on other systems. As you are aware, users often use the same credentials on numerous machines and if that proves to be the case, the administrators for those systems should be notified.
  10. Make a backup copy of the local password file if appropriate, in case you need to compare who has and who has not changed their passwords after notification.
  11. Please notify Information Security if your system uses Caltech LDAP authentication to authenticate users.
  12. Contact the owners of the compromised accounts. Please consider the likelyhood of the miscreant's having access to the compromised account email when choosing your contact method.
  13. When you've rebuilt the system, request that its network access be re-established by sending email to security@caltech.edu.
  14. Information Security may want to perform a network vulnerability scan of the system after it's unblocked, which can help identify any unresolved security issues that might be used in future attacks against the system.

Please see our FAQ page if you need help figuring out what to do or where to start to recover from a system compromise.