alt Hacker NewsMy thoughts exactly. And couldn’t an attacker just fill the logging volume with uninteresting events to prevent certain other events from being recorded?
Replies
jorvi • last Friday at 11:48 AM
Log filtering via severity / keywords prevents this, assuming the logs are regularly and properly checked.
That would be where something like auditd would come in, configured so that if the audit logs location runs low on space (or out of space), it will halt the system.
(Yes, quite harsh, but for some use cases it may be the right thing to do, i.e. to fail closed).