Robert Heller wrote: > At Wed, 01 Jul 2009 16:08:08 -0600 CentOS mailing list <centos at centos.org> wrote: > >> On Wed, 01 Jul 2009 15:05:58 -0700 >> Gary Greene wrote: >> >>> . With sudo, >>> you get a record of what command was executed with superuser rights by whom >>> at whenever given hour. >> sudo bash > > Which in turn is logged. Such a log entry might raise a red flag. > > Speaking of logged - I don't do this but Dad set up his systems (solaris) to immediately boot the user and send an alert to the operator if the root user issued the id command and had not become root from a member of the wheel group. He was a university admin, they had to have telnet open because of grad students doing research in countries that did not allow secure connections. Most of the time, that single action got the hacker off before any damage was done. Those were primarily Solaris systems he dealt with. They also had a log server that everything was logged to (off the network, fed I think by serial cable if I recall but it may have been cat 5 - sun had funny looking serial ports that took a cat 5 jacks to me), as local logs are easily modified once you have a root shell. But I don't personally deal with any systems that big and complex.