I notice that in normal operation audit event IDs are sequential. Is it sufficient to look for non-sequential audit events to detects gaps in the record? Are there any circumstances, including deliberate tampering, where this might not be sufficient?
Thanks,
Matt
--
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490