Re: Detecting gaps in the audit record
On Thursday 01 February 2007 14:26, Matthew Booth wrote:
I notice that in normal operation audit event IDs are sequential.
They are nearly sequential. It is possible for records of an event to get
interlaced with another event. Its not common in my experience, but people do
run across it.
Is it sufficient to look for non-sequential audit events to detects
gaps in
the record? Are there any circumstances, including deliberate tampering,
where this might not be sufficient?
No. You could have 99, 100, 101, 100, 102, 100, 102, 103, 104.
-Steve