UPDATE 20100720: As of 1510 hours CDT, Lake Masonic Center network (to include the domains lakemasoniccenter.org, firstlutheranelca.org, and flippingcoinsband.com) acknowledges receipt of INFOCON GREEN from isc.sans.edu.
As of 1130 hours CDT, Lake Masonic Center network (to include the domains lakemasoniccenter.org, firstlutheranelca.org, and flippingcoinsband.com) acknowledges receipt of INFOCON YELLOW from isc.sans.edu.
My INFOCON scripts worked like a charm:
I heard a SAME header (7-bit FSK w/parity, 1200 baud) being broadcast from my server’s PC speaker. This happens weekly and monthly on a regular basis for testing purposes. Today was not a scheduled test day. I ran to my console to see what prompted the broadcast. I saw the messages about INFOCON YELLOW scrolling past.
So I went through my checklist:
- Bash prompt displays “INFOCON YELLOW”
- Firewall rules for INFOCON YELLOW are applied
- System policies (idle time enforcement, max. failed login attempts, etc.) rolled in for INFOCON YELLOW
- INFOCON YELLOW on login banners
- INFOCON YELLOW on lakemasoniccenter.org website
Since the event that prompted the elevation was related to windows LNK files, I also cataloged all LNK files on the system and tarballed the ones that weren’t immediately necessary. ClamAV found nothing (though the particular vulnerability isn’t in ClamAV’s latest definitions). I removed the execute bit from all LNK files since Samba ignores it and there’s no legitimate reason to need execute permissions on LNK files on a Linux box.
One more screenie for good measure: