audit 1.6.7 questions
Steve Grubb
sgrubb at redhat.com
Wed Feb 6 22:04:12 UTC 2008
On Wednesday 06 February 2008 16:48:14 LC Bruzenak wrote:
> Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but
> not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)?
That one is still TBD. I needed the define in libaudit.h so I could use it
later. I have to patch a few user space utilities to send the event.
> Also - gotta ask user logins but not logoffs?
Logoffs have to be determined from session information. So, it takes some
extra logic to deduce. Also failed logins are pretty important as you may be
under attack, while logoffs you are never under attack. So, I don't know if
logoffs are worthy of an IDS alert. However, it would be fine for something
like an aulast command. Would that be helpful or do you see an IDS angle I'm
missing? Its a good question, though.
Thanks,
-Steve
More information about the Linux-audit
mailing list