Security Guideance
Michael Holstein
michael.holstein at csuohio.edu
Tue Feb 23 20:38:46 UTC 2010
> The user could also be running the command inline somehow or deleting the file when they log off.
"wiretapping" your SSHd is one way to find out what people are up to
http://forums.devshed.com/bsd-help-31/logging-ssh-shell-sessions-30398.html
Also .. if you have the resources, a passive tap and another box that
has enough disk and I/O to keep up is useful to see who was doing what
right before the packetstorm happens.
If you can take the box offline and grab a disk image, tools like "fls"
from TSK can generate a filesystem timeline, again .. who touched what
right before it started...
Cheers,
Michael Holstein
Cleveland State University
More information about the NANOG
mailing list