auditctl -a exit,always -S execve -F success=1 will audit log all successful execve(2) calls by all uids. It will incur a (possibly significant) performance hit though. Is there a particular binary/user about you're concerned?
On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <[email protected]> wrote: > > So if i am correct, there is no way we can get the normal user activity > through auditd daemon ... > > Or , please suggest the best way to capture the activity logs for normal > users .... > > > > On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <[email protected]> wrote: >> >> ----- Original Message ----- >> > So my question is why normal users audit event logs cant be captured >> > as a "type=USER_TTY" , where as root logs can be captured >> > similarway. >> USER_TTY is sent by the process that accepts the keyboard input. >> Unprivileged users are not allowed to send audit records (otherwise they >> would be able to fill the queue and/or the log partition, causing a DoS), so >> the USER_TTY record is discarded. >> >> Even for unprivileged users you should have the type=TTY records, although >> they are noticeably more difficult to interpret. >> Mirek > > > > > -- > > > Thanks & Regards, > > - Koresh > > > -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
