[UNCLASSIFIED]RE: [clug] Detecting malicious former employees

Edward Lang edlang at gmail.com
Tue Sep 12 00:42:47 GMT 2006


On 9/12/06, Michael Still <mikal at stillhq.com> wrote:
> How about something simple like an "exit script" which executes a kill
> for all processes owned by a given user on all machines? You could at
> the same time eliminate all cron jobs, ssh keys, and so forth as well.

I was recently responsible for locking down the account of a coworker
who moved to another section of my company. Another coworker has
written a script that is distributed to all machines, which for a
given user updates /etc/passwd with an invalid password for that user,
changes their shell to /bin/false (or similar), invalidates their
crontab, and kills their processes. It could, no doubt, be refined,
but the consistent and documented approach seems to work well.

None of their files or accounts are removed to preserve the integrity
of backups for audit related purposes.



More information about the linux mailing list