daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94f74ef111da8d949b738322c167415615155ff6
microdao-daarion/security/forensics-checklist.md
Apple cba2ff47f3 📚 docs(security): Add comprehensive Security chapter 
## New Security Documentation Structure

/security/
├── README.md                    # Security overview & contacts
├── forensics-checklist.md       # Incident investigation guide
├── persistence-scan.sh          # Quick persistence detector
├── runtime-detector.sh          # Mining/suspicious process detector
└── hardening/
    ├── docker.md                # Docker security baseline
    ├── kubernetes.md            # K8s policies (future reference)
    └── cloud.md                 # Hetzner-specific hardening

## Key Components

### Forensics Checklist
- Process analysis commands
- Persistence mechanism detection
- Network connection analysis
- File system inspection
- Authentication audit
- Decision matrix for threat response

### Scripts
- persistence-scan.sh: Cron, systemd, executables, SSH keys
- runtime-detector.sh: Mining process detection with --kill option

### Hardening Guides
- Docker: Secure compose template, Dockerfile best practices
- Kubernetes: NetworkPolicy, PodSecurityStandard, Falco rules
- Cloud: Egress firewall, SSH hardening, fail2ban, monitoring

## Post-Incident Documentation
Based on lessons learned from Incidents #1 and #2 (Jan 2026)

Co-authored-by: Cursor Agent <agent@cursor.sh>
2026-01-09 02:08:13 -08:00

294 lines
5.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 🔍 Forensics Checklist — Incident Investigation
**Мета:** Відповісти на 3 критичні питання:
1. **Як саме зайшли** (initial access vector)
2. **Чи є persistence** (чи повернеться знову)
3. **Чи можна довіряти системі далі** (чи потрібен rebuild)
---
## 📋 Швидкий чекліст
### A. Process-level Analysis
```bash
# Всі процеси з деревом
ps auxf
# Top CPU consumers
ps -eo pid,ppid,user,cmd,%cpu,%mem --sort=-%cpu | head -20
# Процеси конкретного користувача (напр. container user 1001)
ps aux | grep "1001"
# Zombie процеси
ps aux | grep defunct | wc -l
```
**🔴 Red flags:**
- Дивні назви: `softirq`, `.syslog`, `catcal`, `G4NQXBp`, `vrarhpb`
- Процеси без батьків (orphans)
- user ≠ expected
- CPU > 50% на невідомому процесі
---
### B. Persistence Mechanisms
```bash
# Cron jobs
crontab -l
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
# Systemd services
systemctl list-unit-files --state=enabled
ls -la /etc/systemd/system/
ls -la /usr/lib/systemd/system/
# Init scripts
ls -la /etc/init.d/
ls -la /etc/rc.local
# Docker auto-restart
docker ps --filter "restart=always"
docker ps --filter "restart=unless-stopped"
```
**🔴 Red flags:**
- Незнайомі cron jobs
- Нові systemd services
- Контейнери з `restart: unless-stopped` + compromised
---
### C. Network Analysis
```bash
# Listening ports
ss -tulpn
netstat -tulpn
# Active connections
ss -antp
netstat -antp
# Firewall rules
iptables -L -n -v
iptables -L -n -v -t nat
# DNS queries (if available)
cat /var/log/syslog | grep -i dns
```
**🔴 Red flags:**
- Outbound до mining pools (порти 3333, 5555, 7777, 14433)
- Нові listening ports
- З'єднання до unknown IP
**Known mining pool patterns:**
```
*pool*
*xmr*
*monero*
*crypto*
*.ru:*
*.cn:*
```
---
### D. File System Analysis
```bash
# Executable files in temp directories
find /tmp /var/tmp /dev/shm -type f -executable 2>/dev/null
# Recently modified binaries
find /usr/bin /usr/local/bin /usr/sbin -mtime -3 2>/dev/null
# Hidden files in home directories
find /root /home -name ".*" -type f 2>/dev/null
# Large files in unexpected places
find /tmp /var/tmp -size +10M 2>/dev/null
# SUID/SGID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
```
**🔴 Red flags:**
- Executables в /tmp, /dev/shm
- Нещодавно змінені системні бінарники
- Hidden files з executable permissions
---
### E. Authentication & Access
```bash
# Login history
last
lastlog
who
# SSH keys
grep -R "ssh-rsa" /root/.ssh /home 2>/dev/null
cat /root/.ssh/authorized_keys
ls -la /root/.ssh/
# Failed logins
grep "Failed" /var/log/auth.log | tail -50
grep "Accepted" /var/log/auth.log | tail -50
# Sudo usage
grep "sudo" /var/log/auth.log | tail -50
```
**🔴 Red flags:**
- Незнайомі SSH ключі
- Логіни з unknown IP
- Нові користувачі
---
### F. Docker-specific
```bash
# All containers (including stopped)
docker ps -a
# Container processes
docker top <container_name>
# Container logs
docker logs --tail 100 <container_name>
# Docker images
docker images
# Docker networks
docker network ls
docker network inspect <network>
# Container inspect (look for mounts, env vars)
docker inspect <container_name>
```
**🔴 Red flags:**
- Контейнери з `--privileged`
- Mounted host directories (особливо /)
- Unknown images
---
## 📊 Decision Matrix
| Знахідка | Рівень загрози | Дія |
|----------|----------------|-----|
| Підозрілий процес, CPU > 50% | 🔴 Critical | Kill + investigate |
| Cron job до unknown binary | 🔴 Critical | Remove + investigate |
| New SSH key | 🔴 Critical | Remove + rotate all |
| Outbound to mining pool | 🔴 Critical | Block + kill |
| Modified system binary | 🔴 Critical | Full rebuild |
| Container with persistence | 🟡 High | Remove container + image |
| Unknown listening port | 🟡 High | Investigate + block |
| Failed SSH attempts | 🟢 Low | Monitor + fail2ban |
---
## 🔧 Post-Investigation Actions
### If compromised (any 🔴 finding):
1. **Contain:**
```bash
# Stop affected services
docker stop <container>
# Block outbound (emergency)
iptables -I OUTPUT -d 0.0.0.0/0 -p tcp --dport 22 -j DROP
```
2. **Preserve evidence:**
```bash
# Save process list
ps auxf > /root/evidence/ps_$(date +%Y%m%d_%H%M%S).txt
# Save network connections
ss -antp > /root/evidence/ss_$(date +%Y%m%d_%H%M%S).txt
# Save Docker state
docker ps -a > /root/evidence/docker_$(date +%Y%m%d_%H%M%S).txt
```
3. **Eradicate:**
```bash
# Kill processes
kill -9 <pid>
# Remove persistence
crontab -r
systemctl disable <service>
# Remove Docker artifacts
docker stop <container>
docker rm <container>
docker rmi <image> # CRITICAL!
```
4. **Recover:**
- Rebuild from clean source
- Apply hardening
- Monitor for recurrence
5. **Document:**
- Update INFRASTRUCTURE.md
- Create incident report
- Update hardening procedures
---
## 📝 Incident Report Template
```markdown
## Incident Report: [Title]
**Date:** YYYY-MM-DD HH:MM UTC
**Severity:** Critical/High/Medium/Low
**Status:** Resolved/Ongoing
### Timeline
- HH:MM — Detection
- HH:MM — Containment
- HH:MM — Eradication
- HH:MM — Recovery
### Root Cause
[Description of how the attack occurred]
### Impact
- Services affected
- Data affected
- Downtime
### Indicators of Compromise (IOCs)
- Process names
- File paths
- IP addresses
- Domains
### Remediation
- Actions taken
- Hardening applied
### Lessons Learned
- What worked
- What to improve
- Prevention measures
```
Reference in New Issue View Git Blame Copy Permalink