On Sat, Feb 04, 2023 at 11:40:49AM +0100, Henning Follmann wrote: > On Fri, Feb 03, 2023 at 04:27:06PM +0100, Nicolas George wrote: > > Hi. > > > > When there is a suspicious access to a user account, we want to lock > > this account until we made sure. So “:-:” in /etc/shadow and shell to > > /bin/false, and “sudo -u user kill -9 -1”. > > > > But, at least with the default configuration, these will not block: > > > > - crontabs or atjobs that download instructions from the web; > > > > - .procmailrc or “|something” in .forward; > > > > - probably one or two mechanisms I forgot about. > > > > PAM might be able to help for some of these, but not all. > > > > I tried to search on the web, but did not find anything relevant, which > > is somewhat surprising to me. > > > > Do you know of any extensive discussion about this topic, to help me set > > something up without leaving too many holes? > > > I think it would be a good idea to temporary ban/move the home directory. > mv /home/<user> /home/banned_<user> > To disconnect any automatisms like procmail etc. > If you do this, any automatisms would trigger an error which show up in the > log. A good way to find these (I think). > > Next find any left files of that user in /var (likely the temp > files are located here), /run (if you have to keep the system running, a > reboot would flush those out) > find /var -type f -uid <userID> -print >
And I forgot, if the user was part of the group "sudo" or had explicitly rights in the sudoers file, torch the system. -H -- Henning Follmann | hfollm...@itcfollmann.com
