[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Guideance

Subject: Security Guideance
From: michael.holstein at csuohio.edu (Michael Holstein)
Date: Tue, 23 Feb 2010 15:38:46 -0500
In-reply-to: <386FCF83D8086E4A89655E41CD3B53D359DF35766F@rtexch01>
References: <[email protected]> <[email protected]> <386FCF83D8086E4A89655E41CD3B53D359DF35766F@rtexch01>

> The user could also be running the command inline somehow or deleting the file when they log off.  

"wiretapping" your SSHd is one way to find out what people are up to

http://forums.devshed.com/bsd-help-31/logging-ssh-shell-sessions-30398.html

Also .. if you have the resources, a passive tap and another box that
has enough disk and I/O to keep up is useful to see who was doing what
right before the packetstorm happens.

If you can take the box offline and grab a disk image, tools like "fls"
from TSK can generate a filesystem timeline, again .. who touched what
right before it started...

Cheers,

Michael Holstein
Cleveland State University

References:
- Security Guideance
  - From: pstewart at nexicomgroup.net (Paul Stewart)
- Security Guideance
  - From: setient at gmail.com (Ronald Cotoni)
- Security Guideance
  - From: msprague at readytechs.com (Matt Sprague)

Prev by Date: Security Guideance
Next by Date: Security Guideance
Previous by thread: Security Guideance
Next by thread: Security Guideance
Index(es):
- Date
- Thread