[816] in Intrusion Detection Systems


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Audit trails

daemon@ATHENA.MIT.EDU (leclerc@austin.asc.slb.com)
Tue Dec 17 05:31:14 1996

From: leclerc@austin.asc.slb.com
Date: Wed, 11 Dec 1996 16:28:34 -0600
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au

> Even though it does provide some information it does not provide 
> information which can really be used to automate tracking. 

http://www.haystack.com

my little understanding of their web product, they can differentiate (at least
on Solaris) as the process token (according to man audit.log) contains 
        auid Audit User ID p 44 & 53 SunSHIELD Basic Security Module guide 
		(set at logtime)
        euid Effective User ID
        ruid Real User ID

in the example :
S1 files are modified by 
alex russ russ

S2 files are modified by
russ russ russ

This is on a Sun, I have no experience on AIX

--Francois
PS: sorry if company and products are not supposed to appear on the list


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[816] in Intrusion Detection Systems

Re: Audit trails

daemon@ATHENA.MIT.EDU (leclerc@austin.asc.slb.com)Tue Dec 17 05:31:14 1996

daemon@ATHENA.MIT.EDU (leclerc@austin.asc.slb.com)
Tue Dec 17 05:31:14 1996