Auditing File Changes
Klaus Weidner
klaus at atsec.com
Mon Jul 10 21:01:03 UTC 2006
On Mon, Jul 10, 2006 at 04:51:31PM -0400, Valdis.Kletnieks at vt.edu wrote:
> And "comparing trusted accesses to total accesses" is quite possibly flawed as
> well - I've lost count of times that the audit trail has clearly said that a
> "trusted program" did something, and the *actual* security issue was the user
> went to the bathroom and a locking screensaver wasn't engaged, allowing
> somebody else to run the program surreptitiously....
That one is easy to fix by including a current webcam picture of the user
in each audit record in addition to the auid ;-)
-Klaus
More information about the Linux-audit
mailing list