+ . rm /var/cache/apt/archives/*
+ - /var/run/* and pam_faillock's data files
+ - homedirs/.ssh directory, especially /root/.ssh (Steve Grubb)
+ - if drives are encrypted, then dm-crypt key should be changed
+ and drives all re-encrypted
+ - /etc/pki
+ (Steve says ...)
+ Rpm uses nss. Nss sets up its crypto database in
+ /etc/pki. Depending on how long the machine ran before cloning, you
+ may have picked up some certificates or things. This is an area
+ that you would want to look into.
+ - secure erase of inodes etc using scrub (Steve Grubb)
+ - other directories that could require cleaning include:
+ /var/cache/gdm/*
+ /var/lib/fprint/*
+ /var/run/*
+ /var/lib/AccountService/users/*
+ /var/lib/sss/db/*
+ /var/lib/samba/*
+ /var/lib/samba/*/*
+ (thanks Marko Myllynen, James Antill)