From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Detecting gaps in the audit record
Date: Thu, 01 Feb 2007 17:22:08 +0000
Message-ID: <1170350528.4259.10.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0674701234=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from [10.249.226.43] (sebastian-int.corp.redhat.com [172.16.52.221])
	by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	l11JQPxJ025634
	for <linux-audit@redhat.com>; Thu, 1 Feb 2007 19:26:30 GMT
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============0674701234==
Content-Type: multipart/alternative; boundary="=-v2M7dJrMSLpyxbmOspL/"


--=-v2M7dJrMSLpyxbmOspL/
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

I notice that in normal operation audit event IDs are sequential. Is it
sufficient to look for non-sequential audit events to detects gaps in
the record? Are there any circumstances, including deliberate tampering,
where this might not be sufficient?

Thanks,

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-v2M7dJrMSLpyxbmOspL/
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.12.0">
</HEAD>
<BODY>
I notice that in normal operation audit event IDs are sequential. Is it sufficient to look for non-sequential audit events to detects gaps in the record? Are there any circumstances, including deliberate tampering, where this might not be sufficient?<BR>
<BR>
Thanks,<BR>
<BR>
Matt<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<PRE>
-- 
Red Hat, Global Professional Services

M:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +44 (0)7977 267231
GPG ID:&nbsp; D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
</PRE>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

--=-v2M7dJrMSLpyxbmOspL/--


--===============0674701234==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0674701234==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Detecting gaps in the audit record
Date: Thu, 01 Feb 2007 19:26:25 +0000
Message-ID: <1170357985.3600.3.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1997331739=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from [10.249.226.43] (sebastian-int.corp.redhat.com [172.16.52.221])
	by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	l11JRJvf025736
	for <linux-audit@redhat.com>; Thu, 1 Feb 2007 19:27:25 GMT
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============1997331739==
Content-Type: multipart/alternative; boundary="=-9yffoK98acieOB1rb7zo"


--=-9yffoK98acieOB1rb7zo
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

I notice that in normal operation audit event IDs are sequential. Is it
sufficient to look for non-sequential audit events to detects gaps in
the record? Are there any circumstances, including deliberate tampering,
where this might not be sufficient?

Thanks,

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-9yffoK98acieOB1rb7zo
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.12.0">
</HEAD>
<BODY>
I notice that in normal operation audit event IDs are sequential. Is it sufficient to look for non-sequential audit events to detects gaps in the record? Are there any circumstances, including deliberate tampering, where this might not be sufficient?<BR>
<BR>
Thanks,<BR>
<BR>
Matt<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<PRE>
-- 
Red Hat, Global Professional Services

M:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +44 (0)7977 267231
GPG ID:&nbsp; D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
</PRE>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

--=-9yffoK98acieOB1rb7zo--


--===============1997331739==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1997331739==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Detecting gaps in the audit record
Date: Thu, 1 Feb 2007 16:14:00 -0500
Message-ID: <200702011614.00603.sgrubb@redhat.com>
References: <1170357985.3600.3.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1170357985.3600.3.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 01 February 2007 14:26, Matthew Booth wrote:
> I notice that in normal operation audit event IDs are sequential.

They are nearly sequential. It is possible for records of an event to get 
interlaced with another event. Its not common in my experience, but people do 
run across it.

> Is it sufficient to look for non-sequential audit events to detects gaps in
> the record? Are there any circumstances, including deliberate tampering, 
> where this might not be sufficient?

No. You could have 99, 100, 101, 100, 102, 100, 102, 103, 104.

-Steve