After installing linux what security measures/steps one should take for gathering Post-Breach Information?
Install file integrity checker like Aide, Samhain or even tripwire, disable services you still have to harden, set up logging, auditing and backups and start hardening host. Please check out the
LQ FAQ: Security references, part 1 on hardening and part 5 on recovery.
What steps one should take after a security breach?
Isolate host from network, inform direct and adjacent users, retrieve information, restore (that is : nuke, not revive building on current situation).
Please also suggest some good practices(beside updates), informative sites and tools.
Please read SECREF first, *then* post what you propose to do, *then* ask.
Much more effective.
TIA.
I cannot remember off the top of my head how I did that.
On EXT2/EXT3 filesystems: man chattr, flag, append-only.