[UNCLASSIFIED]RE: [clug] Detecting malicious former employees

Michael Still mikal at stillhq.com
Tue Sep 12 00:31:42 GMT 2006


Alex Satrapa wrote:
> On 12 Sep 2006, at 06:28, Michael Still wrote:
> 
>> I would expect any organization to have an "exit checklist" that 
>> ensures that someone in a trusted position has their access revoked 
>> properly. We're talking about what should be on that checklist.
> 
> Thanks for pointing out the one about persistent connections. Disabling 
> a user's account won't close off their SSH tunnels or OpenVPN connections.
> 
> How disruptive would it be to close all SSH/OpenVPN connections when 
> disabling/deleting accounts? I guess that really depends on whether 
> people are actively using the connection at the time - but OpenVPN seems 
> to be pretty robust when it comes to dealing with network outages or 
> server restarts.

How about something simple like an "exit script" which executes a kill 
for all processes owned by a given user on all machines? You could at 
the same time eliminate all cron jobs, ssh keys, and so forth as well.

Mikal


More information about the linux mailing list