On Wednesday, August 04, 2010 06:25:59 am List Quest wrote: > I need filter logs to terminal name(if tty/terminal equal none, write to > audit.log). > > Example: -a entry,always -S execve -F tty!=none > > But, no use tty in filter parameter list. How this?
The kernel does not filter on tty because it is a text string and not a number. So, all events would get recorded. you would then run a search against the logs to find the records you want. That's the way it is unless someone submits patches. ;) -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
