Rough Draft of Unix Incident Response Procedure
		29 June 1998
(NOTE: Modified 15 July 1999 for public perusal)

I) Remain calm

II) Determine who is going to be the Point person
	(this should have already been decided)
	(The point person should coordinate the steps outlined below)

III) Determine the scope of the incident:

   A) on the compromised machine(s):

	1) if the perp isn't connected to the machine, remotely login as root via ssh.  
	   DO NOT connect to the machine and then su.
	2) set library path:

LD_LIBRARY_PATH=$clean/usr/lib:$clean/local/lib; export LD_LIBRARY_PATH
	3) set path:
PATH=$clean/usr/bin:$clean/usr/sbin:/afs/acpub/@sys/local/bin; export PATH

	4) umask 077
	5) verify system integrity:
		find all suid scripts and compare their MD5 checksums against a 
		known, verifiably clean copy 
		/etc/inetd.conf
		/etc/hosts.equiv
		/etc/shosts.equiv
		/etc/hosts.allow
		/etc/hosts.deny
		/etc/cron.d/(at/cron).(allow/deny)
		/var/spool/crontabs/cron/root
		/.rhosts
		/.shosts
		/etc/rc*.d/*
		/etc/inittab
		/etc/nsswitch.conf
		/var/log/*
		/var/adm/*
		/tmp, /dev, /devices for suspicious directories & files
		ps
		netstat -a

	6) change the bits

   B) gather logs via ssh from other machines

	search for connections made by the attacking site(s)


IV) Decide the course of immediate action:  

	A) lock the account:


	B) monitor the account


V) Determine who, if anyone, should be contacted.  Law Enforcement,
Internal Audit, etc

VI) Cleaning up
	A) re-installing the system
	B) re-opening or deleting the account(s)
	C) removing monitors
	D) change the bits if not done in Sec IV Step A.6

VII) Summarize and disseminate lessons learned