In message <199502270518.AAA20096@ussenterprise.async.vt.edu>, Leo Bicknell <bicknell@ussenterprise.async.vt.edu> writes: > I just had a thought. What about makeing it impossible for > even root to cover his/her tracks? My specific thought was writing > things like accounting/audit logs directly to say a WORM drive. In that situation the obvious thing for the cracker to do is to generate as much misleading logging as possible, and aim to fill the WORM disk with it. Whilst that won't remove their footprints, they can (if they think carefully) generate enough fake "information" to make them start chasing other leads first. I'm thinking here along the lines of bogus syslog messages about hardware and software problems. Now perhaps this is the sort of time you want to be running things like swatch to monitor the logfiles, and to try and alert people when things start to act peculiar. Chris P.S. This is meandering away from full-disclosure now, so I'll shut up. ;-)