Re: audit 1.6.7 questions - Valdis.Kletnieks

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Valdis.Kletnieks@vt.edu
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: audit 1.6.7 questions
Date: Wed, 06 Feb 2008 17:19:35 -0500	[thread overview]
Message-ID: <21216.1202336375@turing-police.cc.vt.edu> (raw)
In-Reply-To: Your message of "Wed, 06 Feb 2008 17:04:12 EST." <200802061704.12464.sgrubb@redhat.com>

[-- Attachment #1.1: Type: text/plain, Size: 1189 bytes --]

On Wed, 06 Feb 2008 17:04:12 EST, Steve Grubb said:

> Logoffs have to be determined from session information. So, it takes some 
> extra logic to deduce. Also failed logins are pretty important as you may be 
> under attack, while logoffs you are never under attack. So, I don't know if 
> logoffs are worthy of an IDS alert. However, it would be fine for something 
> like an aulast command. Would that be helpful or do you see an IDS angle I'm 
> missing? Its a good question, though.

I don't have much use for an IDS alert on logoff, unless it's a session that is
automagically logged in at boot and not supposed to logout - usually running a
captive kiosk or system-monitoring tool (but in those cases, the program can
usually be modified or wrapped to generate its own "Yow I exited unexpectedly"
alerts).  On the other hand, having some sort of '*last' capability is almost
always useful when you're trying to figure out what happened - "Fred left the
office at 5PM, but his session was there till 11PM, and something odd happened
at 10:30PM".  Usually means either Fred didn't in fact leave, or Fred left the
session unlocked and you have a too-clued janitor on the payroll.. :)

[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

next prev parent reply	other threads:[~2008-02-06 22:19 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-06 21:48 audit 1.6.7 questions LC Bruzenak
2008-02-06 22:04 ` Steve Grubb
2008-02-06 22:19   ` Valdis.Kletnieks [this message]
2008-02-06 22:33   ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=21216.1202336375@turing-police.cc.vt.edu \
    --to=valdis.kletnieks@vt.edu \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox