audit 1.6.7 questions
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Feb 6 22:19:35 UTC 2008
On Wed, 06 Feb 2008 17:04:12 EST, Steve Grubb said:
> Logoffs have to be determined from session information. So, it takes some
> extra logic to deduce. Also failed logins are pretty important as you may be
> under attack, while logoffs you are never under attack. So, I don't know if
> logoffs are worthy of an IDS alert. However, it would be fine for something
> like an aulast command. Would that be helpful or do you see an IDS angle I'm
> missing? Its a good question, though.
I don't have much use for an IDS alert on logoff, unless it's a session that is
automagically logged in at boot and not supposed to logout - usually running a
captive kiosk or system-monitoring tool (but in those cases, the program can
usually be modified or wrapped to generate its own "Yow I exited unexpectedly"
alerts). On the other hand, having some sort of '*last' capability is almost
always useful when you're trying to figure out what happened - "Fred left the
office at 5PM, but his session was there till 11PM, and something odd happened
at 10:30PM". Usually means either Fred didn't in fact leave, or Fred left the
session unlocked and you have a too-clued janitor on the payroll.. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080206/320c5c60/attachment.sig>
More information about the Linux-audit
mailing list