intrusion tracking

Thu Jan 27 17:07:22 UTC 2011

On 01/26/2011 07:00 AM, Heinz Diehl wrote:
> On 26.01.2011, Wolfgang S. Rupprecht wrote:
>
>> The real issue is that there isn't a good activity log.  While I can
>> install tripwire to watch for changed files
>
> I would have used "aide" instead of tripwire.
>
>> it probably won't tell me  how they got in.
>> Is there something that addresses that problem?
>
> No way. Once the attacker has become root, all your logs could be
> deleted and/or manipulated. You can't rely on them any longer.

There are patches to the bash, korn and c shells that log every command
line entered to syslog.  Get those and install them, then set up syslog
to log to a remote logging server.

It ain't perfect, but we've nabbed a couple of baddies that way.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting          ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-            I'm afraid my karma just ran over your dogma            -
----------------------------------------------------------------------