[UNCLASSIFIED]RE: [clug] Detecting malicious former employees

Michael Still mikal at stillhq.com
Tue Sep 12 02:47:46 GMT 2006

Edward Lang wrote:
> Hi,
> On 9/12/06, Michael Still <mikal at stillhq.com> wrote:
>> How about something simple like an "exit script" which executes a kill
>> for all processes owned by a given user on all machines? You could at
>> the same time eliminate all cron jobs, ssh keys, and so forth as well.
> I was recently responsible for locking down the account of a coworker
> who moved to another section of my company. Another coworker has
> written a script that is distributed to all machines, which for a
> given user updates /etc/passwd with an invalid password for that user,
> changes their shell to /bin/false (or similar), invalidates their
> crontab, and kills their processes. It could, no doubt, be refined,
> but the consistent and documented approach seems to work well.
> None of their files or accounts are removed to preserve the integrity
> of backups for audit related purposes.

You also need to rename their .ssh/authorized_keys file, or ssh will 
allow execution of programs (I think. I need to test this).


More information about the linux mailing list