Product SiteDocumentation Site

Chapter 4. Incident Response Introduction

Mike Fedora Project McGrath

Fedora Infrastructure Lead
Fedora Project
4.1. Preperation
4.2. Initial Contact
4.3. Security Team Lead
4.3.1. Investigation Checklist

4.1. Preperation

Prior to escelation ensure the following steps have been completed. Some of these steps can take hours to complete, they need only be started to move on to initial contact.
Required Config Lines
CompleteRequirementActionComment
Must NotMake any changes to the host.This includes shutting services down, logging in or out.
ShouldTake 2 lvm snapshots for each mounted filesystem.If the underlying disks on this host are under lvm.
ShouldCopy disk images to a trusted location.For further analysis.
ShouldSave memory state.This is significantly easier with a xen guest.
ShouldCopy memory state to trusted location with disk images.This allows others to clone the current state of that machine.