[122939] in North American Network Operators' Group
Re: Security Guideance
daemon@ATHENA.MIT.EDU (Michael Holstein)
Tue Feb 23 15:39:09 2010
Date: Tue, 23 Feb 2010 15:38:46 -0500
From: Michael Holstein <michael.holstein@csuohio.edu>
In-Reply-To: <386FCF83D8086E4A89655E41CD3B53D359DF35766F@rtexch01>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> The user could also be running the command inline somehow or deleting the file when they log off.
"wiretapping" your SSHd is one way to find out what people are up to
http://forums.devshed.com/bsd-help-31/logging-ssh-shell-sessions-30398.html
Also .. if you have the resources, a passive tap and another box that
has enough disk and I/O to keep up is useful to see who was doing what
right before the packetstorm happens.
If you can take the box offline and grab a disk image, tools like "fls"
from TSK can generate a filesystem timeline, again .. who touched what
right before it started...
Cheers,
Michael Holstein
Cleveland State University
