On Tuesday, December 08, 2015 03:49:58 PM Richard Guy Briggs wrote: > On 15/12/08, Steve Grubb wrote: > > Hello, > > > > I would like to point out 2 new standards that have been posted to the > > linux audit web page. The first establishes the events around system > > start up and shutdown. This is important because it sets the session > > boundaries for when a system is up or down or crashed. > > > > http://people.redhat.com/sgrubb/audit/system-lifecycle.txt > > A couple of very minor corrections to this first one:
Thanks, Applied. > > The second standard is more of a forward looking standard. It explains how > > the audit daemon and utilities will perform event enrichment before being > > stored long term in an aggregator. The target for implementation is the > > 2.5 release of the audit daemon. > > > > http://people.redhat.com/sgrubb/audit/event-enrichment > > How do you mean for IP address to be "resolved"? Is this simply a > matter of recording it? Or would this be a reverse lookup on the local > machine to get the opinion of what it should be from the DNS perspective > of the local machine, assuming different machines in the logging domain > could potentially have different views of DNS? I think the latter. Bot-nets get shut down. Systems go away. Sometimes internal names differ from external names. -Steve > > Let me know if anyone has feedback on these standards, especially the > > second one. > > > > -Steve > > - RGB > > -- > Richard Guy Briggs <[email protected]> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
