[UNCLASSIFIED]RE: [clug] Detecting malicious former employees
Michael Still
mikal at stillhq.com
Tue Sep 12 00:31:42 GMT 2006
Alex Satrapa wrote:
> On 12 Sep 2006, at 06:28, Michael Still wrote:
>
>> I would expect any organization to have an "exit checklist" that
>> ensures that someone in a trusted position has their access revoked
>> properly. We're talking about what should be on that checklist.
>
> Thanks for pointing out the one about persistent connections. Disabling
> a user's account won't close off their SSH tunnels or OpenVPN connections.
>
> How disruptive would it be to close all SSH/OpenVPN connections when
> disabling/deleting accounts? I guess that really depends on whether
> people are actively using the connection at the time - but OpenVPN seems
> to be pretty robust when it comes to dealing with network outages or
> server restarts.
How about something simple like an "exit script" which executes a kill
for all processes owned by a given user on all machines? You could at
the same time eliminate all cron jobs, ssh keys, and so forth as well.
Mikal
More information about the linux
mailing list