intrusion tracking

[Heinz Diehl]

On 26.01.2011, Wolfgang S. Rupprecht wrote: 

> The real issue is that there isn't a good activity log.  While I can
> install tripwire to watch for changed files

I would have used "aide" instead of tripwire.

> it probably won't tell me  how they got in.
> Is there something that addresses that problem?

No way. Once the attacker has become root, all your logs could be
deleted and/or manipulated. You can't rely on them any longer.