Product SiteDocumentation Site

4.2. Prerequisite Tasks

The tasks in this listing must be started prior to any other tasks. Some tasks, like the time line, will be ongoing.
Prerequisite Tasks
Sign offTaskDescription
SnapshotIf possible, take two LVM snapshots of all volumes on affected systems. If possible, take a snapshot at the disk level to get an entire disk image, as opposed to logical volume images. If LVM is not being used, try to dd the block device somewhere piping through ssh.
Snapshot CopyWork with the incident coordinator to copy the images from the "Snapshot" task above to an agreed secure location. Provide a size estimate. Include basic details about the images, including the architecture and the requirements to restore these images to a running state.
Log CopyMake an off-site copy of any relevant logs.
Incident Response Team ListCreate and maintain a list of people who are aware of the compromise and its details. Once the list is made, it must not grow without the approval of the incident coordinator unless already specified in this incident response plan.
Time lineCreate and maintain a time line, sorted by the actual time an event took place. The timeline should indicate the actual time of events and not simply the time of discovery.
Disabling AuthenticationAside from the incident response team, disable access to any hosts that are suspected as compromised. In extreme cases this may involve disabling central authentication altogether.