Recovering from a UNIX System Compromise (cont.)


Update your security policy:

Document lessons learned from being compromised
Calculate the cost of this incident
Incorporate necessary changes (if any) in your security policy

One recovery method that could be used is software mirroring.  
Once a system compromise occurs:

Remove one of the mirrored drives for later analysis or for evidence
Add a new hard drive and install a new OS on that drive
Mount the remaining mirrored drive and copy any non-binary data files onto the new drive (This works well with web servers)
Then umount the old drive and re-mirror the system, overwriting the old drive