Security Guideance

Michael Holstein michael.holstein at
Tue Feb 23 20:38:46 UTC 2010

> The user could also be running the command inline somehow or deleting the file when they log off.  

"wiretapping" your SSHd is one way to find out what people are up to

Also .. if you have the resources, a passive tap and another box that
has enough disk and I/O to keep up is useful to see who was doing what
right before the packetstorm happens.

If you can take the box offline and grab a disk image, tools like "fls"
from TSK can generate a filesystem timeline, again .. who touched what
right before it started...


Michael Holstein
Cleveland State University

More information about the NANOG mailing list