On Wednesday, February 09, 2011 05:05:52 pm Todd Heberlein wrote: > On Feb 9, 2011, at 10:17 AM, Steve Grubb wrote: > > They go on with a table which essentially means you need to audit almost > > everything. But you only need to worry about the failed access. > > Translation: You only need to worry about failed attack. Ignore the > successful attacks.
There are certain system objects where you have to audit both success and failure, e.g. /etc/shadow. However, if a file's permissions are 0644, do you really need to audit that the file was accessed, e.g. /etc/localtime? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
