Detecting gaps in the audit record
Steve Grubb
sgrubb at redhat.com
Thu Feb 1 21:14:00 UTC 2007
On Thursday 01 February 2007 14:26, Matthew Booth wrote:
> I notice that in normal operation audit event IDs are sequential.
They are nearly sequential. It is possible for records of an event to get
interlaced with another event. Its not common in my experience, but people do
run across it.
> Is it sufficient to look for non-sequential audit events to detects gaps in
> the record? Are there any circumstances, including deliberate tampering,
> where this might not be sufficient?
No. You could have 99, 100, 101, 100, 102, 100, 102, 103, 104.
-Steve
More information about the Linux-audit
mailing list