I am trying to think, what kind of traps to deploy into some systems that I am monitoring. I already have install/configure some IDS like fail2ban. But I am trying to think of some simple trick in order to know when an unprivileged entity has accessed the system. This of course is the last resort to be notified that you have a breach.
some stupid ideas:
- Monitoring a file for edit, normally no one will ever edit it.
- Monitoring a file for execution, normally no one will ever execute it.
some stupid ideas:
- Monitoring a file for edit, normally no one will ever edit it.
- Monitoring a file for execution, normally no one will ever execute it.