To receive notifications about scheduled maintenance, please subscribe to the mailing-list gitlab-operations@sympa.ethz.ch. You can subscribe to the mailing-list at https://sympa.ethz.ch

Commit 3d51e6aa authored by Axel Beckert's avatar Axel Beckert

Add a README file

parent 781cb876
IOC Check for EGI Incidents #EGI20200421 and #EGI2020512
========================================================
These scripts check for know indicators of compromise for the [EGI
Incidents #EGI20200421 and
#EGI2020512](https://csirt.egi.eu/academic-data-centers-abused-for-crypto-currency-mining/)
on any Unix system you can reach by SSH.
How it works
------------
`ioc-local-check.pl` is the actual check which runs on the system
being checks.
`ioc-remote-check.sh` copies `ioc-local-check.pl` to all to-be-checked
systems via scp, calls it, and removes it again. Currently only
supports root logins via SSH. The usage of SSH keys for logging in is
assumed. It also checks if the script copied to the remote host has
been modified (via `sha256sum`) and does not delete it at the end of
the check it in that case.
Both commands understand the `-v` and `-d` commandline options:
* `-v` makes the output verbose: It adds a summary. (By default no
output means the host is clean as common in Unix philosophy.`)
* `-d` adds debug output: It adds checks for files and directories
which are commonly there on most Linux systems. They belong to the
fictional incident "DEBUG".
Requirements
------------
### Admin Workstation
`ioc-remote-check.sh` uses only these standard POSIX commands and SSH:
* `sh` (a bourne compatible shell like `ash` or `dash` suffices, `bash` is not needed.)
* `egrep`
* `test` (as `[`)
* `sha256sum`
* `awk` (`mawk` suffices, no `gawk` needed.)
* `scp` (needs to understand options `-q` and `-p`) and `ssh` (needs
to understand options `-a` and `-x`) — OpenSSH is known to work.
### To Be Checked Hosts
`ioc-local-check.pl` uses only these standard POSIX commands and Perl:
* Perl 5.10 or newer (suffices for RHEL6 and any supported Debian or
derivative like Ubuntu), no modules required.
* `sha256sum`
* `getent`
* `awk` (`mawk` suffices, no `gawk` needed.)
* `hostname`
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment