Ron Gula wrote on 8/18/09 10:22 PM: > I'm curious how many people enable process accounting on UNIX or Windows > and feed these to their SIM? When you start seeing tcpdump being run by > user 'www' at 2:00 am, things can get interesting.
We've had process accounting help us immeasurably in the past. Intruder carefully cleaned up after himself, remembered to clear logs, wipe out shell history, etc etc. He didn't clear out the process accounting logs though, and that told us everything. So awesome. I wish everybody would do that. Of course, I actually wish people wouldn't set things up such that they get pwned in the first place, but that's a nice second best. Mike -- When angry, count four; when very angry, swear. - Mark Twain _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
