audit question (fwd)
richard offer
offer at sgi.com
Thu Nov 15 23:42:34 GMT 2001
* frm arr at FreeBSD.org "11/14/2001 06:03:34 PM -0500" | sed '1,$s/^/* /'
*
[snip]
*
* Another thought I had, relating to saving space on disk, was to save a
* "log started time" (LST) and base times for log entries as offsets from
* that (LST+N seconds).
*
* I assume some of the above has been done or thought of before, so if
* people are willing to pipe up and share that kind of information, it would
* be much appreciated.
I personally believe that an audit record should be self contained. It
should not need any external "mapping" to decypher it. Its just one more
thing that needs to be kept in-sync with kernel changes. Records are small
enough that it seems like complication with limited pay-off.
A record should not contain any information that is relative to a
preceeding record. If you lose the magic record you've just made your
entire log worthless (at least for any subsequent legal actions). How do
you handle log rotations ?
Of course I'm probably wrong.
*
* I appreciate you sending some logs, thanks.
*
* Cheers,
* Andrew
richard.
--
-----------------------------------------------------------------------
Richard Offer Technical Lead, Trust Technology, SGI
"Specialization is for insects"
___________________________________________On sabatical Nov 8 -> Nov 30
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list