So if i am correct, there is no way we can get the normal user activity through auditd daemon ...
Or , please suggest the best way to capture the activity logs for normal users .... On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <[email protected]> wrote: > ----- Original Message ----- > > So my question is why normal users audit event logs cant be captured > > as a "type=USER_TTY" , where as root logs can be captured > > similarway. > USER_TTY is sent by the process that accepts the keyboard input. > Unprivileged users are not allowed to send audit records (otherwise they > would be able to fill the queue and/or the log partition, causing a DoS), > so the USER_TTY record is discarded. > > Even for unprivileged users you should have the type=TTY records, although > they are noticeably more difficult to interpret. > Mirek > -- Thanks & Regards, - Koresh
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
