Chapter 4. Incident Response Introduction

Mike Fedora Project McGrath

Fedora Infrastructure Lead
Fedora Project

4.3.1. Investigation Checklist

4.1. Preperation

Prior to escelation ensure the following steps have been completed. Some of these steps can take hours to complete, they need only be started to move on to initial contact.

Required Config Lines

Requirement	Action	Comment
Must Not	Make any changes to the host.	This includes shutting services down, logging in or out.
Should	Take 2 lvm snapshots for each mounted filesystem.	If the underlying disks on this host are under lvm.
Should	Copy disk images to a trusted location.	For further analysis.
Should	Save memory state.	This is significantly easier with a xen guest.
Should	Copy memory state to trusted location with disk images.	This allows others to clone the current state of that machine.