What type of advantages could a forensic technician get from it?
Robert Watson: Post-mortem analysis is a tricky business — you want to figure out how the system was broken into and what was done, but this is complicated by the fact that software is extremely flexible and there isn’t much log information. It could be that the first thing you know of an attack is a defaced web page, but maybe the actual break-in occurred weeks before. A detailed audit trail of events can often directly answer the question of how and when the break-in occurred, and allow the technician to backtrack through the log identifying what files were modified by the attacker, what software was run, and what other activities, such as attacking other systems, were performed. As audit is flexible to configure and we ship trail reduction tools, administrators can decide on their own trade-offs between disk space use, performance impact, and log completeness. For example, administrators might choose to audit only system logins, which has very low space and performance overhead —