On Fri, Feb 03, 2023 at 04:27:06PM +0100, Nicolas George wrote: > Hi. > > When there is a suspicious access to a user account, we want to lock > this account until we made sure. So “:-:” in /etc/shadow and shell to > /bin/false, and “sudo -u user kill -9 -1”. > > But, at least with the default configuration, these will not block: > > - crontabs or atjobs that download instructions from the web; > > - .procmailrc or “|something” in .forward; > > - probably one or two mechanisms I forgot about. > > PAM might be able to help for some of these, but not all. > > I tried to search on the web, but did not find anything relevant, which > is somewhat surprising to me. > > Do you know of any extensive discussion about this topic, to help me set > something up without leaving too many holes? > I think it would be a good idea to temporary ban/move the home directory. mv /home/<user> /home/banned_<user> To disconnect any automatisms like procmail etc. If you do this, any automatisms would trigger an error which show up in the log. A good way to find these (I think).
Next find any left files of that user in /var (likely the temp files are located here), /run (if you have to keep the system running, a reboot would flush those out) find /var -type f -uid <userID> -print -H -- Henning Follmann | hfollm...@itcfollmann.com
