On Mon, Feb 21, 2005 at 02:44:10PM -0800, Casey Schaufler wrote:
--- Klaus Weidner <klaus(a)atsec.com> wrote:
> I'm not aware of an explicit CAPP requirement for
> logout messages, so I'd
> consider that to be a "nice to have" feature.
You need a logout message. Really.
Can you point to a specific requirement in CAPP related to that?
Note that even if you have logout records, they are not a reliable
indication that the session is complete, there may be background
processes launched by the user that keep running (and potentially
generating audit events) after the logout message. If you need that kind
of information and you aren't satisfied with the login UID, you need to
trace all fork/exec/exit events for the session.
-Klaus