* Detecting gaps in the audit record
@ 2007-02-01 19:26 Matthew Booth
2007-02-01 21:14 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Matthew Booth @ 2007-02-01 19:26 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 414 bytes --]
I notice that in normal operation audit event IDs are sequential. Is it
sufficient to look for non-sequential audit events to detects gaps in
the record? Are there any circumstances, including deliberate tampering,
where this might not be sufficient?
Thanks,
Matt
--
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
[-- Attachment #1.2: Type: text/html, Size: 795 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Detecting gaps in the audit record
2007-02-01 19:26 Detecting gaps in the audit record Matthew Booth
@ 2007-02-01 21:14 ` Steve Grubb
0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2007-02-01 21:14 UTC (permalink / raw)
To: linux-audit
On Thursday 01 February 2007 14:26, Matthew Booth wrote:
> I notice that in normal operation audit event IDs are sequential.
They are nearly sequential. It is possible for records of an event to get
interlaced with another event. Its not common in my experience, but people do
run across it.
> Is it sufficient to look for non-sequential audit events to detects gaps in
> the record? Are there any circumstances, including deliberate tampering,
> where this might not be sufficient?
No. You could have 99, 100, 101, 100, 102, 100, 102, 103, 104.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Detecting gaps in the audit record
@ 2007-02-01 17:22 Matthew Booth
0 siblings, 0 replies; 3+ messages in thread
From: Matthew Booth @ 2007-02-01 17:22 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 414 bytes --]
I notice that in normal operation audit event IDs are sequential. Is it
sufficient to look for non-sequential audit events to detects gaps in
the record? Are there any circumstances, including deliberate tampering,
where this might not be sufficient?
Thanks,
Matt
--
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
[-- Attachment #1.2: Type: text/html, Size: 795 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-02-01 21:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-01 19:26 Detecting gaps in the audit record Matthew Booth
2007-02-01 21:14 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2007-02-01 17:22 Matthew Booth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox