Is process accounting set up?
Linux has the ability to log which commands are run when and by whom. This is extremely useful in trying to reconstruct what a potential cracker actually ran. The drawbacks are that the logs get large quickly (a log rotate module is included to offset this), the parameters to commands are not recorded, and, like all log files, the accounting log is removable if the attacker has root. As this is rather disk and CPU intensive, please choose NO unless you have carefully considered this option.