On Wednesday 06 February 2008 16:48:14 LC Bruzenak wrote: > Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but > not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)?
That one is still TBD. I needed the define in libaudit.h so I could use it later. I have to patch a few user space utilities to send the event. > Also - gotta ask user logins but not logoffs? Logoffs have to be determined from session information. So, it takes some extra logic to deduce. Also failed logins are pretty important as you may be under attack, while logoffs you are never under attack. So, I don't know if logoffs are worthy of an IDS alert. However, it would be fine for something like an aulast command. Would that be helpful or do you see an IDS angle I'm missing? Its a good question, though. Thanks, -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
