On Wed, 06 Feb 2008 17:04:12 EST, Steve Grubb said: > Logoffs have to be determined from session information. So, it takes some > extra logic to deduce. Also failed logins are pretty important as you may be > under attack, while logoffs you are never under attack. So, I don't know if > logoffs are worthy of an IDS alert. However, it would be fine for something > like an aulast command. Would that be helpful or do you see an IDS angle I'm > missing? Its a good question, though.
I don't have much use for an IDS alert on logoff, unless it's a session that is automagically logged in at boot and not supposed to logout - usually running a captive kiosk or system-monitoring tool (but in those cases, the program can usually be modified or wrapped to generate its own "Yow I exited unexpectedly" alerts). On the other hand, having some sort of '*last' capability is almost always useful when you're trying to figure out what happened - "Fred left the office at 5PM, but his session was there till 11PM, and something odd happened at 10:30PM". Usually means either Fred didn't in fact leave, or Fred left the session unlocked and you have a too-clued janitor on the payroll.. :)
pgpXaxw7K7IKi.pgp
Description: PGP signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
