From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Current capabilities
Date: Thu, 14 Dec 2006 08:33:15 -0500
Message-ID: <200612140833.15229.sgrubb@redhat.com>
References: <04485C8018722949A3DF79E193BB44DB07A50720@xcgfl107.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <04485C8018722949A3DF79E193BB44DB07A50720@xcgfl107.northgrum.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Boyce, Kevin P. (Melbourne, FL)" <Kevin.Boyce@ngc.com>
List-Id: linux-audit@redhat.com

On Thursday 14 December 2006 07:43, Boyce, Kevin P. (Melbourne, FL) wrote:
> If you need a record of failed login attempts, try using the syslog
> daemon.

Syslog is generally not good enough for people that *really* need to track 
this information. Syslog can be lossy due to udp. And the average user can do 
this to you:

while [ 1 ]; do
	logger "blah blah blah"
done

When your disk fills up...where's the login information going to go? The audit 
system has higher integrity due to needing CAP_AUDIT_WRITE to send login 
information. The kernel collects some of the data from the process 
credentials so its more trustworthy. It can alert the admin when the audit 
partition is starting to get full and then take the machine down if it does 
fill.

-Steve