Y
Hacker News
new
|
ask
|
show
|
jobs
by
_yy
3807 days ago
Incident response. When one of your admin accounts is compromised, you'd want to know what the attacker executed.
1 comments
ultramancool
3807 days ago
Yes you would - but why just SSH? Wouldn't auditd execve syscall logs sent to a logstash server be better? It'd handle compromises other than SSH too.
link
_yy
3807 days ago
Yes - though there's more to a SSH session than executing commands (interacting with interactive editors, port forwarding, etc.)
link