Hi,
Here's my current rule, which is working, but is producing a lot of
extra log that I'd like to suppress:
-a entry,always -S execve -F euid=0
I'm wondering if there's a way to limit this to only audit events that
happen from a real tty, e.g. a human user. I'm getting lots of
extraneous chatter from sshd, automount, and cron, all of which are from
tty=(none), but I'm not sure it's possible to filter on tty...
Thanks
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
