From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Detecting gaps in the audit record
Date: Thu, 1 Feb 2007 16:14:00 -0500
Message-ID: <200702011614.00603.sgrubb@redhat.com>
References: <1170357985.3600.3.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1170357985.3600.3.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 01 February 2007 14:26, Matthew Booth wrote:
> I notice that in normal operation audit event IDs are sequential.

They are nearly sequential. It is possible for records of an event to get 
interlaced with another event. Its not common in my experience, but people do 
run across it.

> Is it sufficient to look for non-sequential audit events to detects gaps in
> the record? Are there any circumstances, including deliberate tampering, 
> where this might not be sufficient?

No. You could have 99, 100, 101, 100, 102, 100, 102, 103, 104.

-Steve