On Thursday 01 February 2007 14:26, Matthew Booth wrote: > I notice that in normal operation audit event IDs are sequential.
They are nearly sequential. It is possible for records of an event to get interlaced with another event. Its not common in my experience, but people do run across it. > Is it sufficient to look for non-sequential audit events to detects gaps in > the record? Are there any circumstances, including deliberate tampering, > where this might not be sufficient? No. You could have 99, 100, 101, 100, 102, 100, 102, 103, 104. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
