PaulDotCom mailing list archives

HIDS advice?

From: mike.patterson at unb.ca (Mike Patterson)
Date: Wed, 19 Aug 2009 20:38:04 -0400

Ron Gula wrote on 8/18/09 10:22 PM:

I'm curious how many people enable process accounting on UNIX or Windows
and feed these to their SIM? When you start seeing tcpdump being run by
user 'www' at 2:00 am, things can get interesting.


We've had process accounting help us immeasurably in the past.  Intruder
carefully cleaned up after himself, remembered to clear logs, wipe out
shell history, etc etc.  He didn't clear out the process accounting logs
though, and that told us everything.  So awesome.  I wish everybody
would do that.  Of course, I actually wish people wouldn't set things up
such that they get pwned in the first place, but that's a nice second best.

Mike

-- 
When angry, count four; when very angry, swear.  - Mark Twain

Current thread:

HIDS advice? lists at truthisfreedom.org.uk (Aug 17)
- HIDS advice? Erik Harrison (Aug 17)
- HIDS advice? Jason Wood (Aug 17)
- <Possible follow-ups>
- HIDS advice? Christopher Rimondi (Aug 18)
  - HIDS advice? Ron Gula (Aug 18)
    - HIDS advice? Joe Magee (Aug 19)
    - HIDS advice? Ron Gula (Aug 20)
    - HIDS advice? Dale Stirling (Aug 20)
    - HIDS advice? Mike Patterson (Aug 19)