On Monday 09 March 2009 05:42:09 pm Matthew Booth wrote: > On Linux we don't record a terminal.
We do record terminal info in the tty & term fields. Additionally, if the auid and ses fields are -1, you know its a process that was descended from init. If they have something in them, then it was descended from a login session. > What about system daemons restarted by an administrator? They would inherit the admin's environment and identifiers. > How about SELinux? Not sure how this applies. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
