Current capabilities
Steve Grubb
sgrubb at redhat.com
Thu Dec 14 13:33:15 UTC 2006
On Thursday 14 December 2006 07:43, Boyce, Kevin P. (Melbourne, FL) wrote:
> If you need a record of failed login attempts, try using the syslog
> daemon.
Syslog is generally not good enough for people that *really* need to track
this information. Syslog can be lossy due to udp. And the average user can do
this to you:
while [ 1 ]; do
logger "blah blah blah"
done
When your disk fills up...where's the login information going to go? The audit
system has higher integrity due to needing CAP_AUDIT_WRITE to send login
information. The kernel collects some of the data from the process
credentials so its more trustworthy. It can alert the admin when the audit
partition is starting to get full and then take the machine down if it does
fill.
-Steve
More information about the Linux-audit
mailing list