[UNCLASSIFIED]RE: [clug] Detecting malicious former employees
Michael Still
mikal at stillhq.com
Tue Sep 12 02:47:46 GMT 2006
Edward Lang wrote:
> Hi,
>
> On 9/12/06, Michael Still <mikal at stillhq.com> wrote:
>> How about something simple like an "exit script" which executes a kill
>> for all processes owned by a given user on all machines? You could at
>> the same time eliminate all cron jobs, ssh keys, and so forth as well.
>
> I was recently responsible for locking down the account of a coworker
> who moved to another section of my company. Another coworker has
> written a script that is distributed to all machines, which for a
> given user updates /etc/passwd with an invalid password for that user,
> changes their shell to /bin/false (or similar), invalidates their
> crontab, and kills their processes. It could, no doubt, be refined,
> but the consistent and documented approach seems to work well.
>
> None of their files or accounts are removed to preserve the integrity
> of backups for audit related purposes.
You also need to rename their .ssh/authorized_keys file, or ssh will
allow execution of programs (I think. I need to test this).
Mikal
More information about the linux
mailing list