From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit 1.6.7 questions
Date: Wed, 6 Feb 2008 17:04:12 -0500
Message-ID: <200802061704.12464.sgrubb@redhat.com>
References: <1202334494.6538.58.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1202334494.6538.58.camel@homeserver>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 06 February 2008 16:48:14 LC Bruzenak wrote:
> Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but
> not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)?

That one is still TBD. I needed the define in libaudit.h so I could use it 
later. I have to patch a few user space utilities to send the event.

> Also - gotta ask user logins but not logoffs?

Logoffs have to be determined from session information. So, it takes some 
extra logic to deduce. Also failed logins are pretty important as you may be 
under attack, while logoffs you are never under attack. So, I don't know if 
logoffs are worthy of an IDS alert. However, it would be fine for something 
like an aulast command. Would that be helpful or do you see an IDS angle I'm 
missing? Its a good question, though.

Thanks,
-Steve