nanog mailing list archives

Re: Security Guideance

From: Michael Holstein <michael.holstein () csuohio edu>
Date: Tue, 23 Feb 2010 15:38:46 -0500

The user could also be running the command inline somehow or deleting the file when they log off.


"wiretapping" your SSHd is one way to find out what people are up to

http://forums.devshed.com/bsd-help-31/logging-ssh-shell-sessions-30398.html

Also .. if you have the resources, a passive tap and another box that
has enough disk and I/O to keep up is useful to see who was doing what
right before the packetstorm happens.

If you can take the box offline and grab a disk image, tools like "fls"
from TSK can generate a filesystem timeline, again .. who touched what
right before it started...

Cheers,

Michael Holstein
Cleveland State University

Current thread:

Security Guideance Paul Stewart (Feb 23)
- Re: Security Guideance Ronald Cotoni (Feb 23)
  - RE: Security Guideance Matt Sprague (Feb 23)
    - Message not available
    - Re: RE: Security Guideance Paul Bosworth (Feb 23)
    - Re: Security Guideance Michael Holstein (Feb 23)
    - Re: Security Guideance Chris Adams (Feb 23)
    - RE: Security Guideance Adam Stasiniewicz (Feb 23)
    - Re: Security Guideance Aaron L. Meehan (Feb 24)
  - Re: Security Guideance Dan White (Feb 23)
    - Re: Security Guideance acv (Feb 23)
    - Re: Security Guideance Nathan Ward (Feb 23)
    - RE: Security Guideance Joe (Feb 23)
    - Re: Security Guideance Curtis Maurand (Feb 24)
- Re: Security Guideance LaDerrick H. (Feb 23)
- Re: Security Guideance David Freedman (Feb 23)

(Thread continues...)