Hi,
Let me share an anticdote, <lol>. I happened to get root access to a friends
computer and noticed that he had a lot of users in his passwd file. So I
added a user with a weird name that looked like a legitimate process and gave
it a UID of 0. Anyway, with all those users in the passwd file, a user that
does not know what they are looking for, will not catch something like what I
had done, until it was too late. We could if this to death, but I personally
Marc wrotes some cron scripts, which will, among other
things, check for things like this.
The cron scripts are adopted from OpenBSD and can be found at
http://www.suse.de/~marc.
Sure, these cron jobs doesn't provide you w/ a real time intrusion
detection.
Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47