*Hobbit* wrote this... > > Lastlog, process accounting, utmp/wtmp/utmpx/wtmpx, and maybe even syslog > is useless if an intruder has taken steps to "vanish" properly. Kernel > accounting, if transferred soon enough to some secured receiver site, may > still be intact. Comments on other non-destroyable user-authentication > records, anyone? > > _H* > real time tracking of utmp/wtmp/utmpx/wtmpx to another secure machine can normally by trusted. especially if it is logged to a worm drive. that way the hacker can mod the file entry, but they cant destory anything on the worm dirve. IMHO worm drives are prefect devices for keeping log files, they are big (anyone ever seen a small log file?), and they are write once which means you log files are physically protected. Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney www: http://milliways.itd.uts.edu.au/~matt/ email: matt@uts.edu.au phone: +61 2 330 1390 "Don't murder a man who is about fax: +61 2 330 1999 to commit suicide." home: +61 2 416 5722 -- Machiaveli GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y