Product SiteDocumentation Site

4.4. Actions

The following actions must be taken to correct issues related to the incident and ultimately restore service to nominal levels. Work with the incident coordinator or task manager to complete the tasks listed below.

4.4.1. Investigation

This section of the incident response plan includes some techniques that should be used in the event an incident involves an intrusion or other unauthorized access, to determine the nature of the access and whether it is ongoing.
Investigation
Sign offTaskDescription
InvestigationOnce the intrusion entry point discovered, send a summary and details to the incident coordinator.
MitigationEnsure the point of entry is closed or properly secured.
Investigation Tasks
CompleteTaskDescription
Increase LoggingIncrease logging of any and all services suspected of being involved in the attack to a level sufficient to determine that no unauthorized access is ongoing.
File NotificationsCompare files to known good copies, as well as backup copies. Use best practices such as the rpm -V command to ensure the integrity of system contents. If appropriate, examine file metadata such as change, modify, and access times to develop information about the nature of the incident.