[SGVLUG] Security/auditing and the "sudo" log
matti
mathew_2000 at yahoo.com
Mon Mar 2 11:30:30 PST 2009
Hi,
su/sulog audits
A major forensic analysis I had to do of
an attack (took the entire "ecommerce/phone
center down") required looking at sulogs.
as you mentioned, that only gave a little
info.. thankfully for this case enough
to realize that a user account had been
compromised.
We looked closely to determine what else
changed and whom else were accessing the
system during that time period.
We were able to trace it and id t
he intruder ( x coworker
who believed he was better than the
people he left and though we couldnt
easily be found. )
anyways, traditionally THERE is no easy
way to handle this in many standard unixes/linuxes.
one way to help address this issue is to
have a network recorder, however is someone
is going in over SSL/SSH to the host then
that is problematic.
iirc if you want a greater ability to audit
you need to move over to a more secure unix
variant.
OH! and here I found some scripts to help
monitor the SU log...
http://www.itworld.com/nls_unix_su1_060126
best
matti
More information about the SGVLUG
mailing list