TrustedBSD Audit Project
richard offer
offer at sgi.com
Mon Oct 8 21:24:24 GMT 2001
* frm _ at r4k.net "10/08/2001 11:18:05 PM +0200" | sed '1,$s/^/* /'
*
*
* The guide mentions that no matter how audit trail overflow is handled,
* 'there must be a way to archive all of the audit data'. Possible actions
* in case the log data can't be written that are listed there even include
* include stuff like stopping etc. From what I read on oss.sgi.com this
* seems to be the action trusted irix will take after the reserved emergency
* space has been exceeded also.
* Assuming that this was not a requirement,
* I suppose these things should be configurable ?
Making the behaviour configurable sounds good...my firewall has an option
for its behaviour when the log fills up of "throwing away log entries" or
"stopping". I suppose there must be enough people who don't mind them being
thrown away that they added the option.
* I was also wondering if
* it would be an option to only log 'critical' events, if space gets lower,
* although I'm not sure how 'trusted' this is.
If its being audited its generally considered critical.
*
* bye,
* Stephanie
richard.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list