From mboxrd@z Thu Jan  1 00:00:00 1970
From: Valdis.Kletnieks@vt.edu
Subject: Re: audit 1.6.7 questions
Date: Wed, 06 Feb 2008 17:19:35 -0500
Message-ID: <21216.1202336375@turing-police.cc.vt.edu>
References: <1202334494.6538.58.camel@homeserver>
	<200802061704.12464.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1852290692=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: Your message of "Wed, 06 Feb 2008 17:04:12 EST."
	<200802061704.12464.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============1852290692==
Content-Type: multipart/signed; boundary="==_Exmh_1202336375_3373P";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit

--==_Exmh_1202336375_3373P
Content-Type: text/plain; charset=us-ascii

On Wed, 06 Feb 2008 17:04:12 EST, Steve Grubb said:

> Logoffs have to be determined from session information. So, it takes some 
> extra logic to deduce. Also failed logins are pretty important as you may be 
> under attack, while logoffs you are never under attack. So, I don't know if 
> logoffs are worthy of an IDS alert. However, it would be fine for something 
> like an aulast command. Would that be helpful or do you see an IDS angle I'm 
> missing? Its a good question, though.

I don't have much use for an IDS alert on logoff, unless it's a session that is
automagically logged in at boot and not supposed to logout - usually running a
captive kiosk or system-monitoring tool (but in those cases, the program can
usually be modified or wrapped to generate its own "Yow I exited unexpectedly"
alerts).  On the other hand, having some sort of '*last' capability is almost
always useful when you're trying to figure out what happened - "Fred left the
office at 5PM, but his session was there till 11PM, and something odd happened
at 10:30PM".  Usually means either Fred didn't in fact leave, or Fred left the
session unlocked and you have a too-clued janitor on the payroll.. :)


--==_Exmh_1202336375_3373P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFHqjJ3cC3lWbTT17ARAjiJAJ9D52zP+q7m0bbloBKxtKMOzYmnqACg4e5z
bjqSC1u3q30pIINn7U952XI=
=4Vd2
-----END PGP SIGNATURE-----

--==_Exmh_1202336375_3373P--


--===============1852290692==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1852290692==--