intrusion tracking
Rick Stevens
ricks at nerd.com
Thu Jan 27 17:07:22 UTC 2011
On 01/26/2011 07:00 AM, Heinz Diehl wrote:
> On 26.01.2011, Wolfgang S. Rupprecht wrote:
>
>> The real issue is that there isn't a good activity log. While I can
>> install tripwire to watch for changed files
>
> I would have used "aide" instead of tripwire.
>
>> it probably won't tell me how they got in.
>> Is there something that addresses that problem?
>
> No way. Once the attacker has become root, all your logs could be
> deleted and/or manipulated. You can't rely on them any longer.
There are patches to the bash, korn and c shells that log every command
line entered to syslog. Get those and install them, then set up syslog
to log to a remote logging server.
It ain't perfect, but we've nabbed a couple of baddies that way.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- I'm afraid my karma just ran over your dogma -
----------------------------------------------------------------------
More information about the users
mailing list