key in syscall audit rules.
Steve Grubb
sgrubb at redhat.com
Wed May 18 19:17:12 UTC 2005
On Wednesday 18 May 2005 15:03, Klaus Weidner wrote:
> Storing only numbers makes it very hard to interpret older log entries;
I agree
> the mapping table can potentially change at any time, and there's no sane
> way to track the history of all changes to watches to do that.
I've seen places that are required to have audit trails for 6 months. When a
disk is full, its removed and a new drive inserted. (These kind of places use
removable drives.) 5 months down the road, who knows what the rules were in
effect.
-Steve
More information about the Linux-audit
mailing list