Re: Current capabilities
On Thursday 14 December 2006 07:43, Boyce, Kevin P. (Melbourne, FL) wrote:
If you need a record of failed login attempts, try using the syslog
daemon.
Syslog is generally not good enough for people that *really* need to track
this information. Syslog can be lossy due to udp. And the average user can do
this to you:
while [ 1 ]; do
logger "blah blah blah"
done
When your disk fills up...where's the login information going to go? The audit
system has higher integrity due to needing CAP_AUDIT_WRITE to send login
information. The kernel collects some of the data from the process
credentials so its more trustworthy. It can alert the admin when the audit
partition is starting to get full and then take the machine down if it does
fill.
-Steve