File: 11_after-compromise.po

package info (click to toggle)
harden-doc 3.19%2Bnmu1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, sid
  • size: 15,332 kB
  • sloc: xml: 11,790; sh: 52; makefile: 16
file content (93 lines) | stat: -rw-r--r-- 21,497 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
msgid ""
msgstr ""
"Project-Id-Version: harden-doc 3.19\n"
"Report-Msgid-Bugs-To: <debian-i18n@lists.debian.org>\n"
"POT-Creation-Date: 2018-04-29 00:18+0200\n"
"PO-Revision-Date: 2018-04-29 08:23+0200\n"
"Last-Translator: Philipe Gaspar <philipegaspar@gmail.com>\n"
"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian.org>\n"
"Language: pt_BR\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

msgid "After the compromise (incident response)"
msgstr "Depois do comprometimento do sistema (resposta a incidentes)"

msgid "General behavior"
msgstr "Comportamento comum"

msgid "If you are physically present when an attack is happening, your first response should be to remove the machine from the network by unplugging the network card (if this will not adversely affect any business transactions). Disabling the network at layer 1 is the only true way to keep the attacker out of the compromised box (Phillip Hofmeister's wise advice)."
msgstr "Se você estiver fisicamente presente quando o ataque ocorrer, sua primeira obrigação é tirar a máquina da rede desconectando o cabo de rede da placa (se isso não for influenciar nas transações dos negócios). Desativando a rede na camada 1 é a única forma de manter o invasor longe da máquina comprometida (conselho sábio de Philip Hofmesiter)."

msgid "However, some tools installed by rootkits, trojans and, even, a rogue user connected through a back door, might be capable of detecting this event and react to it. Seeing a <literal>rm -rf /</literal> executed when you unplug the network from the system is not really much fun. If you are unwilling to take the risk, and you are sure that the system is compromised, you should <emphasis>unplug the power cable</emphasis> (all of them if more than one) and cross your fingers. This may be extreme but, in fact, will avoid any logic-bomb that the intruder might have programmed. In this case, the compromised system <emphasis>should not be re-booted</emphasis>. Either the hard disks should be moved to another system for analysis, or you should use other media (a CD-ROM) to boot the system and analyze it. You should <emphasis>not</emphasis> use Debian's rescue disks to boot the system, but you <emphasis>can</emphasis> use the shell provided by the installation disks (remember, Alt+F2 will take you to it) to analyze <footnote><para>&gt;If you are adventurous, you can login to the system and save information on all running processes (you'll get a lot from /proc/nnn/). It is possible to get the whole executable code from memory, even if the attacker has deleted the executable files from disk. Then pull the power cord.</para></footnote> the system."
msgstr "Entretanto, alguns rootkits ou back doors são capazes de detectar este tipo de evento e reagir a ele. Ver um <literal>rm -rf /</literal> sendo executado quando você desativa a rede não é muito engraçado. Se você se nega a correr o risco e tem certeza que o sistema foi comprometido, você deve <emphasis>desconectar o cabo de energia</emphasis> (todos eles se existirem mais de um) e cruzar os dedos. Isso pode ser extremo mas, de fato, irá evitar qualquer bomba lógica que o invasor possa ter programado. Nesses casos, o sistema comprometido <emphasis>não deve ser reiniciado</emphasis>. Os discos rígidos também devem ser colocados em outro sistema para serem analisados, ou deve ser usado outro tipo de mídia (um CD-ROM) para inicializar o sistema e analisá-lo. Você <emphasis>não</emphasis> deve usar os discos de recuperação do Debian para inicializar o sistema, mas você <emphasis>pode</emphasis> utilizar o shell fornecido pelos discos de instalação (use Alt+F2 para acessá-lo) para analisar o sistema. <footnote><para>Se você for aventureiro, você pode efetuar o logon no sistema e salvar as informações de todos os processos em execução (várias dessas informações estão em /proc/nnn/). É possível pegar todo código executável da memória, mesmo se o invasor tiver excluído os arquivos executáveis do disco. Então puxe o cabo de força. </para></footnote>"

msgid "The most recommended method for recovering a compromised system is to use a live-filesystem on CD-ROM with all the tools (and kernel modules) you might need to access the compromised system. You can use the <application>mkinitrd-cd</application> package to build such a CD-ROM<footnote><para>&gt;In fact, this is the tool used to build the CD-ROMs for the <ulink name=\"Gibraltar\" url=\"http://www.gibraltar.at/\" /> project (a firewall on a live CD-ROM based on the Debian distribution).</para></footnote>. You might find the <ulink name=\"Caine\" url=\"http://www.caine-live.net/\" /> (Computer Aided Investigative Environment) CD-ROM useful here too, since it's also a live CD-ROM under active development with forensic tools useful in these situations. There is not (yet) a Debian-based tool such as this, nor an easy way to build the CD-ROM using your own selection of Debian packages and <application>mkinitrd-cd</application> (so you'll have to read the documentation provided with it to make your own CD-ROMs)."
msgstr "O método mais recomendado para restaurar um sistema comprometido é utilizar um CDROM com todas as ferramentas (e módulos do kernel) necessárias para acessar o sistema. Você pode utilizar o pacote <application>mkinitrd-cd</application> para compilar tal CDROM<footnote><para>. De fato, esta é a ferramenta usada para compilar os CDROMs para o projeto <ulink url=\"http://www.gibraltar.at/\" name=\"Gibraltar\" /> (um firewall em um live-CD baseado na distribuição Debian).</para></footnote>. Você também pode achar o CDROM <ulink name=\"FIRE\" url=\"http://biatchux.dmzs.com/\" /> útil, já que é um live CDROM com ferramentas para análise forense ideal neste tipo de situação. Não existe (ainda) uma ferramenta baseada no Debian como esta, nem uma maneira fácil de compilar o CDROM com pacotes específicos e com <application>mkinitrd-cd</application> (então você terá que ler a documentação fornecida com o programa para fazer seus próprios CDROMs)."

msgid "If you really want to fix the compromise quickly, you should remove the compromised host from your network and re-install the operating system from scratch. Of course, this may not be effective because you will not learn how the intruder got root in the first place. For that case, you must check everything: firewall, file integrity, log host, log files and so on. For more information on what to do following a break-in, see <ulink name=\"CERT's Steps for Recovering from a UNIX or NT System Compromise\" url=\"http://www.cert.org/tech_tips/root_compromise.html\" /> or SANS's <ulink name=\"Incident Handling whitepapers\" url=\"http://www.sans.org/reading_room/whitepapers/incident/\" />."
msgstr "Se você realmente quer consertar um sistema comprometido rapidamente, você deve tirar o sistema da sua rede e reinstalar todo o sistema operacional do zero. Claro, isto pode não ser efetivo porque você não saberá como o invasor comprometeu o sistema. Neste caso, você deve verificar tudo: firewall, integridade de arquivos, host de log, arquivos de log entre outros. Para mais informações do que fazer siga um guia, veja <ulink name=\"Sans' Incident Handling Guide\" url=\"http://www.sans.org/y2k/DDoS.htm\" /> ou <ulink url=\"http://www.cert.org/tech_tips/root_compromise.html\" name=\"CERT's Steps for Recovering from a UNIX or NT System Compromise\" />."

msgid "Some common questions on how to handle a compromised Debian GNU/Linux system are also available in."
msgstr "Algumas perguntas freqüentes de como lidar com um sistema Debian GNU/Linux estão disponíveis em <xref linkend=\"vulnerable-system\" />."

msgid "Backing up the system"
msgstr "Efetuando backup do sistema"

msgid "Remember that if you are sure the system has been compromised you cannot trust the installed software or any information that it gives back to you. Applications might have been trojanized, kernel modules might be installed, etc."
msgstr "Lembre-se que se você tem certeza de que o sistema foi comprometido você não pode confiar no software instalado ou em qualquer informação retornada por ele. Aplicações podem ser alteradas, módulos do kernel podem ser instalados e etc."

msgid "The best thing to do is a complete file system backup copy (using <command>dd</command>) after booting from a safe medium. Debian GNU/Linux CD-ROMs can be handy for this since they provide a shell in console 2 when the installation is started (jump to it using Alt+2 and pressing Enter). From this shell, backup the information to another host if possible (maybe a network file server through NFS/FTP). Then any analysis of the compromise or re-installation can be performed while the affected system is offline."
msgstr "A melhor coisa a se fazer é uma cópia de backup completa do sistema de arquivo (usando o <command>dd</command>) depois de inicializar o sistema de uma mídia segura. Os CDROMs do Debian GNU/Linux podem ser utilizados para isto, já que eles fornecem um shell no console 2 quando a instalação é iniciada (acesse através do Alt+2 e pressione Enter). Do shell, efetue o backup das informações para outro host se possível (talvez um servidor de arquivos de rede através de NFS/FTP). Então qualquer análise da invasão ou reinstalação pode ser feita enquanto o sistema comprometido está off-line."

msgid "If you are sure that the only compromise is a Trojan kernel module, you can try to run the kernel image from the Debian CD-ROM in <emphasis>rescue</emphasis> mode. Make sure to startup in <emphasis>single user</emphasis> mode, so no other Trojan processes run after the kernel."
msgstr "Se você tiver certeza de que um módulo do kernel com trojan comprometeu o sistema, você pode usar a imagem do kernel do CDROM do Debian no modo <emphasis>rescue</emphasis>. Inicie o GNU/Linux no modo <emphasis>single user</emphasis> para que nenhum outro processo com trojan seja executado depois do kernel."

msgid "Contact your local CERT"
msgstr "Contate seu CERT local"

msgid "The CERT (Computer and Emergency Response Team) is an organization that can help you recover from a system compromise. There are CERTs worldwide <footnote><para>&gt; This is a list of some CERTs, for a full list look at the <ulink name=\"FIRST Member Team information\" url=\"http://www.first.org/about/organization/teams/index.html\" /> (FIRST is the Forum of Incident Response and Security Teams): <ulink name=\"AusCERT\" url=\"http://www.auscert.org.au\" /> (Australia), <ulink name=\"UNAM-CERT\" url=\"http://www.unam-cert.unam.mx/\" /> (Mexico) <ulink name=\"CERT-Funet\" url=\"http://www.cert.funet.fi\" /> (Finland), <ulink name=\"DFN-CERT\" url=\"http://www.dfn-cert.de\" /> (Germany), <ulink name=\"RUS-CERT\" url=\"http://cert.uni-stuttgart.de/\" /> (Germany), <ulink name=\"CERT-IT\" url=\"http://security.dico.unimi.it/\" /> (Italy), <ulink name=\"JPCERT/CC\" url=\"http://www.jpcert.or.jp/\" /> (Japan), <ulink name=\"UNINETT CERT\" url=\"http://cert.uninett.no\" /> (Norway), <ulink name=\"HR-CERT\" url=\"http://www.cert.hr\" /> (Croatia) <ulink name=\"CERT Polskay\" url=\"http://www.cert.pl\" /> (Poland), <ulink name=\"RU-CERT\" url=\"http://www.cert.ru\" /> (Russia), <ulink name=\"SI-CERT\" url=\"http://www.arnes.si/si-cert/\" /> (Slovenia) <ulink name=\"IRIS-CERT\" url=\"http://www.rediris.es/cert/\" /> (Spain), <ulink name=\"SWITCH-CERT\" url=\"http://www.switch.ch/cert/\" /> (Switzerland), <ulink name=\"TWCERT/CC\" url=\"http://www.cert.org.tw\" /> (Taiwan), and <ulink name=\"CERT/CC\" url=\"http://www.cert.org\" /> (US). </para></footnote> and you should contact your local CERT in the event of a security incident which has lead to a system compromise. The people at your local CERT can help you recover from it."
msgstr "O CERT (Computer and Emergency Response Team) é uma organização que pode te ajudar a recuperar o sistema comprometido. Existem CERTs espalhados por todo o mundo <footnote><para>Esta é a lista de alguns CERTS, para uma lista completa veja o <ulink name=\"FIRST Member Team information\" url=\"http://www.first.org/about/organization/teams/index.html\" /> (FIRST significa Forum of Incident Response and Security Teams): <ulink url=\"http://www.auscert.org.au\" name=\"AusCERT\" /> (Austrália), <ulink url=\"http://www.unam-cert.unam.mx/\" name=\"UNAM-CERT\" /> (México) <ulink name=\"CERT-Funet\" url=\"http://www.cert.funet.fi\" /> (Finlândia), <ulink name=\"DFN-CERT\" url=\"http://www.dfn-cert.de\" /> (Alemanha), <ulink url=\"http://cert.uni-stuttgart.de/\" name=\"RUS-CERT\" /> (Alemanha), <ulink name=\"CERT-IT\" url=\"http://idea.sec.dsi.unim.it\" /> (Itália), <ulink url=\"http://www.jpcert.or.jp/\" name=\"JPCERT/CC\" /> (Japão), <ulink name=\"UNINETT CERT\" url=\"http://cert.uninett.no\" /> (Noruega), <ulink url=\"http://www.cert.hr\" name=\"HR-CERT\" /> (Croácia) <ulink name=\"CERT Polskay\" url=\"http://www.cert.pl\" /> (Polônia), <ulink url=\"http://www.cert.ru\" name=\"RU-CERT\" /> (Rússia), <ulink name=\"SI-CERT\" url=\"http://www.arnes.si/si-cert/\" /> (Eslovênia) <ulink name=\"IRIS-CERT\" url=\"http://www.rediris.es/cert/\" /> (Espanha), <ulink url=\"http://www.switch.ch/cert/\" name=\"SWITCH-CERT\" /> (Suiça), <ulink url=\"http://www.cert.org.tw\" name=\"TWCERT/CC\" /> (Taiwan), e <ulink url=\"http://www.cert.org\" name=\"CERT/CC\" /> (US).</para></footnote> e você deve contatar seu CERT local caso ocorra algum incidente de segurança que comprometa seu sistema. As pessoas do CERT local são orientadas à ajudá-los."

msgid "Providing your local CERT (or the CERT coordination center) with information on the compromise even if you do not seek assistance can also help others since the aggregate information of reported incidents is used in order to determine if a given vulnerability is in wide spread use, if there is a new worm aloft, which new attack tools are being used. This information is used in order to provide the Internet community with information on the <ulink name=\"current security incidents activity\" url=\"http://www.cert.org/current/\" />, and to publish <ulink name=\"incident notes\" url=\"http://www.cert.org/incident_notes/\" /> and even <ulink name=\"advisories\" url=\"http://www.cert.org/advisories/\" />. For more detailed information read on how (and why) to report an incident read <ulink name=\"CERT's Incident Reporting Guidelines\" url=\"http://www.cert.org/tech_tips/incident_reporting.html\" />."
msgstr "Fornecer informações sobre os incidentes de segurança para o CERT local (ou o centro de coordenação do CERT), mesmo que você não precise de assistência, pode ajudar os outros a determinar se uma vulnerabilidade está disseminada na Internet e indicar que novas ferramentas de combate ao worm estão sendo utilizadas. Estas informações são usadas para fornecer à comunidade da Internet alertas sobre as <ulink url=\"http://www.cert.org/current/\" name=\"atividades atuais dos incidentes de segurança\" />, e para publicar <ulink name=\"notas sobre incidentes\" url=\"http://www.cert.org/incident_notes/\" /> e até mesmo <ulink name=\"alertas de segurança\" url=\"http://www.cert.org/advisories/\" />. Para informações mais detalhadas de como (e porquê) relatar um incidente leia o <ulink name=\"CERT's Incident Reporting Guidelines\" url=\"http://www.cert.org/tech_tips/incident_reporting.html\" />."

msgid "You can also use less formal mechanisms if you need help for recovering from a compromise or want to discuss incident information. This includes the <ulink name=\"incidents mailing list\" url=\"http://marc.theaimsgroup.com/?l=incidents\" /> and the <ulink name=\"Intrusions mailing list\" url=\"http://marc.theaimsgroup.com/?l=intrusions\" />."
msgstr "Você pode usar mecanismos menos formais se precisar de ajuda na recuperação de um sistema comprometido ou quiser discutir informações do incidente. Estes mecanismos incluem a <ulink name=\"lista de discussão sobre incidentes\" url=\"http://marc.theaimsgroup.com/?l=incidents\" /> e a <ulink name=\"lista de discussão sobre intrusos\" url=\"http://marc.theaimsgroup.com/?l=intrusions\" />."

msgid "Forensic analysis"
msgstr "Análise forense"

msgid "If you wish to gather more information, the <application>tct</application> (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a <emphasis>post mortem</emphasis> analysis of a system. <application>tct</application> allows the user to collect information about deleted files, running processes and more. See the included documentation for more information. These same utilities and some others can be found in <ulink name=\"Sleuthkit and Autopsy\" url=\"http://www.sleuthkit.org/\" /> by Brian Carrier, which provides a web front-end for forensic analysis of disk images. In Debian you can find both <application>sleuthkit</application> (the tools) and <application>autopsy</application> (the graphical front-end)."
msgstr ""

msgid "Remember that forensics analysis should be done always on the backup copy of the data, <emphasis>never</emphasis> on the data itself, in case the data is altered during analysis and the evidence is lost."
msgstr "Também, lembre-se que a análise forense deve ser feita sempre na cópia de backup dos dados, <emphasis>nunca</emphasis> nos dados originais, em caso dos dados serem alterados durante a análise e as evidências serem perdidas."

msgid "You will find more information on forensic analysis in Dan Farmer's and Wietse Venema's <ulink name=\"Forensic Discovery\" url=\"http://www.porcupine.org/forensics/forensic-discovery/\" /> book (available online), as well as in their <ulink name=\"Computer Forensics Column\" url=\"http://www.porcupine.org/forensics/column.html\" /> and their <ulink name=\"Computer Forensic Analysis Class handouts\" url=\"http://www.porcupine.org/forensics/handouts.html\" />. Brian Carrier's newsletter <ulink name=\"The Sleuth Kit Informer\" url=\"http://www.sleuthkit.org/informer/index.php\" /> is also a very good resource on forensic analysis tips. Finally, the <ulink name=\"Honeynet Challenges\" url=\"http://www.honeynet.org/misc/chall.html\" /> are an excellent way to hone your forensic analysis skills as they include real attacks against honeypot systems and provide challenges that vary from forensic analysis of disks to firewall logs and packet captures. For information about available forensics packages in Debian visit <ulink name=\"Debian Forensics\" url=\"http://forensics.alioth.debian.org/\" />"
msgstr ""

msgid "FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future."
msgstr "FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future."

msgid "FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD and with the recovered file system restored on a separate partition."
msgstr "FIXME: talk on how to do a debsums on a stable system with the MD5sums on CD and with the recovered file system restored on a separate partition."

msgid "FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse challenge or <ulink name=\"David Dittrich's papers\" url=\"http://staff.washington.edu/dittrich/\" />)."
msgstr "FIXME add pointers to forensic analysis papers (like the Honeynet's reverse challenge or <ulink url=\"http://staff.washington.edu/dittrich/\" name=\"David Dittirch's papers\" />."

msgid "Analysis of malware"
msgstr ""

msgid "Some other tools that can be used for forensic analysis provided in the Debian distribution are: <application>strace</application> and <application>ltrace</application>"
msgstr ""

msgid "Any of these packages can be used to analyze rogue binaries (such as back doors), in order to determine how they work and what they do to the system. Some other common tools include <command>ldd</command> (in <application>libc6</application>), <command>strings</command> and <command>objdump</command> (both in <application>binutils</application>)."
msgstr "Qualquer um desses pacotes podem ser usados para analisar binários anômalos (como os backdoors) para determinar como eles funcionam e o que eles fazem no sistema. Outras ferramentas comuns são o <command>ldd</command> (no pacote <application>libc6</application>), <command>strings</command> e <command>objdump</command> (ambos no pacote <application>binutils</application>)."

msgid "If you try to do forensic analysis with back doors or suspected binaries retrieved from compromised systems, you should do so in a secure environment (for example in a <application>bochs</application> or <application>xen</application> image or a <command>chroot</command>'ed environment using a user with low privileges<footnote><para>&gt;Be <emphasis>very</emphasis> careful if using chroots, since if the binary uses a kernel-level exploit to increase its privileges it might still be able to infect your system</para></footnote>). Otherwise your own system can be back doored/r00ted too!"
msgstr ""

msgid "If you are interested in malware analysis then you should read the <ulink name=\"Malware Analysis Basics\" url=\"http://www.porcupine.org/forensics/forensic-discovery/chapter6.html\" /> chapter of Dan Farmer's and Wietse Venema's forensics book."
msgstr ""