Operations Security

Initial Program Load - loading the operating system's kernel into the computer's main memory.

System shuts itself down in a controlled manner in response to a kernel (trusted computing base) failure

system failure in an uncontrolled manner. Failure caused by a lower-privileged user - ex. attempting to access restricted memory segments

An unexpected kernel or media failure happens and the regular recovery procedure cannot recover system to a more consistent state. Important that the system does not enter in an insecure state.

• 1. enter into single mode - system will automatically boot up to a "single user mode" or must be manually booted to a "Recovery Console" These modes do not start services for users on the network. The administrator must be physically at the console or have a dial-in modem attached.
• 2. Fix Issue, Recover file - the system administrator will attempt to identify the cause of the shutdown. May need to roll-back or roll-forward a database. May be automatic or manual actions that need to occur before applications and services return to normal state.
• 3. Investigation of the problem suggest corruption (attack, user reconfiguration, hardware or software failure) - administrator needs to ensure that system files, and configuration files are consistent with their expected state. Administrator could look at cryptographic checksums of files (tripwire) or validate settings with documentation.

• Bootup sequence - only allow authorized users to change boot sequence - don't want an attacker to boot from CD etc.
• Bypass System logs - attacker would be able to change configuration and remove tracks in logs
• System forced shutdown - should be limited to administrators
• Diagnostics messages and logs - should not be able to be re-routed. Access to messages should be restricted to authorized users.