> > You really need to do a seperation of the checkee from the checkor. > > If someone has root access on the machine, the could basicly do anything that > > is needed to cover their tracks. I just had a thought. What about makeing it impossible for even root to cover his/her tracks? My specific thought was writing things like accounting/audit logs directly to say a WORM drive. Due to the write once nature any auditing/accounting done by the system when the hacker obtained root access would be on the disk, and even root could not erase it after the fact, as it's write once. Of course, once root they could unmount that drive or something to disable logging from that point on, but you would always get at least the process of becoming root. -- Leo Bicknell - bicknell@vt.edu | Make a little birdhouse bicknell@csugrad.cs.vt.edu | in your soul...... bicknell@ussenterprise.async.vt.edu | They Might http://ussenterprise.async.vt.edu/~bicknell/ | Be Giants