Detecting gaps in the audit record
Matthew Booth
mbooth at redhat.com
Thu Feb 1 19:26:25 UTC 2007
I notice that in normal operation audit event IDs are sequential. Is it
sufficient to look for non-sequential audit events to detects gaps in
the record? Are there any circumstances, including deliberate tampering,
where this might not be sufficient?
Thanks,
Matt
--
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070201/a66e3822/attachment.htm>
More information about the Linux-audit
mailing list