On 01/26/2011 07:00 AM, Heinz Diehl wrote: > On 26.01.2011, Wolfgang S. Rupprecht wrote: > >> The real issue is that there isn't a good activity log. While I can >> install tripwire to watch for changed files > > I would have used "aide" instead of tripwire. > >> it probably won't tell me how they got in. >> Is there something that addresses that problem? > > No way. Once the attacker has become root, all your logs could be > deleted and/or manipulated. You can't rely on them any longer.
There are patches to the bash, korn and c shells that log every command line entered to syslog. Get those and install them, then set up syslog to log to a remote logging server. It ain't perfect, but we've nabbed a couple of baddies that way. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, C2 Hosting ri...@nerd.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - I'm afraid my karma just ran over your dogma - ---------------------------------------------------------------------- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
