I notice that in normal operation audit event IDs are sequential. Is it sufficient to look for non-sequential audit events to detects gaps in the record? Are there any circumstances, including deliberate tampering, where this might not be sufficient?
Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
