A client just asked for info on *nix commands that are most often run by attackers vs. legitimate users that we can find with auditd. Some things I thought of: ssh tunneling params stunnel nc cat/head/tail/more/less <critical config files> What else? Any cheat sheets out there?