Scenario 1: Detect and Correct a Security Breach

Estimated Time: 10 minutes

Background: The New York server is behaving erratically, and you suspect that someone has hacked a system file. Use Moonlight to detect the security breach, investigate which files were compromised, and what changes were made. Once you have determined the cause of the problem, use Moonlight to fix it.

To investigate and repair the security breach

1. Log in to Moon Portal if you have not already done so. See Starting Moonlight for instructions.



2. On the Alerts page, notice that there are two alerts posted. We will investigate the security alert on the NewYork server first.




Moonlight has detected differences in content and file properties when it was auditing the NewYork server using the Security Model.

3. Click the Details link for the Security Model alert.








4. The Status Details report appears.








1. The report shows that two system binaries have been hacked in the sbin directory (ls and pwd).



2. Moonlight detected that the file size, modification time, and content (checksum) are different on this target compared to the model.



3. Notice the values on the target compared to those in the model.



5. Click Go next to the Fix Target option in the drop-down menu.



6. On the Fix Target page, click Distribute.



7. Moonlight replaces the corrupted binaries on the target with clean copies from the model, and returns you to the Alerts page.



8. The alert on the NewYork server is now cleared. If you still see the alert, the operation is still in progress. Refresh the page (CTRL + R).



9. Now we will verify the status of the distribution. Click the Targets tab.



10. Click NewYork target to see its new status. Notice that the Security Model now appears in green, and the result of the distribution is Successful.

Highlights

Move on to Scenario 2: Troubleshoot a Configuration Problem.