Re: Too many failed open syscalls

Wednesday, 9 February 2011

On Wednesday, February 09, 2011 05:05:52 pm Todd Heberlein wrote:
...
 On Feb 9, 2011, at 10:17 AM, Steve Grubb wrote:
 > They go on with a table which essentially means you need to audit almost
 > everything. But you only need to worry about the failed access.

 Translation: You only need to worry about failed attack. Ignore the
 successful attacks. 
There are certain system objects where you have to audit both success and failure, 
e.g. /etc/shadow. However, if a file's permissions are 0644, do you really need to 
audit that the file was accessed, e.g. /etc/localtime?

-Steve

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004