From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Detecting gaps in the audit record Date: Thu, 01 Feb 2007 19:26:25 +0000 Message-ID: <1170357985.3600.3.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1997331739==" Return-path: Received: from [10.249.226.43] (sebastian-int.corp.redhat.com [172.16.52.221]) by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id l11JRJvf025736 for ; Thu, 1 Feb 2007 19:27:25 GMT List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1997331739== Content-Type: multipart/alternative; boundary="=-9yffoK98acieOB1rb7zo" --=-9yffoK98acieOB1rb7zo Content-Type: text/plain Content-Transfer-Encoding: 7bit I notice that in normal operation audit event IDs are sequential. Is it sufficient to look for non-sequential audit events to detects gaps in the record? Are there any circumstances, including deliberate tampering, where this might not be sufficient? Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-9yffoK98acieOB1rb7zo Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit I notice that in normal operation audit event IDs are sequential. Is it sufficient to look for non-sequential audit events to detects gaps in the record? Are there any circumstances, including deliberate tampering, where this might not be sufficient?

Thanks,

Matt

-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-9yffoK98acieOB1rb7zo-- --===============1997331739== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1997331739==--