Responding to security incidents

When a security incident occurs, you should follow the processes defined by your organization. However, you might consider some additional steps. These suggestions are intended to supplement existing security incident response processes within your organization.

Suspected compromised user account

If you suspect that a user account or bot account has been compromised, consider taking the following steps:

Suspected compromised instance

Self-managed GitLab customers and administrators are responsible for:

  • The security of their underlying hosts.
  • Keeping GitLab itself up to date.

It is important to regularly update GitLab, update your operating system and its software, and harden your hosts in accordance with vendor guidance.

If you suspect that your GitLab instance has been compromised, consider taking the following steps:

  • Review the audit events available to you for suspicious account behavior.
  • Review all users (including the Administrative root user), and follow the steps in Suspected compromised user account if necessary.
  • Review the Credentials Inventory, if available to you.
  • Change any sensitive credentials, variables, tokens, and secrets. For example, those located in instance configuration, database, CI/CD pipelines, or elsewhere.
  • Upgrade to the latest version of GitLab and adopt a plan to upgrade after every security patch release.

In addition, the suggestions below are common steps taken in incident response plans when servers are compromised by malicious actors.

Use these suggestions at your own risk.
  • Save any server state and logs to a write-once location, for later investigation.
  • Look for unrecognized background processes.
  • Check for open ports on the system.
  • Rebuild the host from a known-good backup or from scratch, and apply all the latest security patches.
  • Review network logs for uncommon traffic.
  • Establish network monitoring and network-level controls.
  • Restrict inbound and outbound network access to authorized users and servers only.
  • Ensure all logs are routed to an independent write-only datastore.