Re: OmniGuard/ITA Please check into the actual data sources used by this software product. Unless their technical folks and manuals are mistaken, ITA is using syslog, utmp, Unix process accounting information, and possibly sulog info, and it does NOT use the operating system ("C2") audit trails. This has certain implications. The accounting log (and other sources listed) know nothing about objects (files) that are manipulated by processes. The accounting log refers to processes only by their final pathname component (not a full pathname). The identity attached to a process execution is the current effective uid, not the login uid (sometimes called the "audit uid"), so you can't really tell who ran the logged process. You could, of course, replace all the vendor binaries with modified ones that cause events to be written to syslog. But that would be a REAL security problem. (Or you could bite the bullet and look at the OS audit trails, which are TOTALLY non-standard across vendors.) Their data sources could be used to implement a "three failed logins and you're toast" alarm, or to note someone ran a process called "crack". But it wouldn't tell you if fred renamed the crack binary to be called "/home/fred/vi", then ran it. And it wouldn't tell you if fred used the loadmodule hack to become root. And it wouldn't tell you if you've been had again by sendmail. (Just that sendmail ran. Maybe.) It is worth asking what kinds of things you want detected, then what events need to be collected to enable that detection, then what data sources collect those events. Steve Smaha Haystack Labs, Inc., 10713 RR 620N, Suite 521, Austin, TX 78726 512-918-3555 (voice), 512-918-1265 (fax), smaha@dockmaster.ncsc.mil