Whoops, ignore this. I had misread your rules. On Thu, Oct 18, 2012 at 8:35 AM, Peter Moody <[email protected]> wrote: > Also, from the auditctl manpage: > > The following describes the valid actions for the rule: > > never No audit records will be generated. This can be used to > suppress event generation. In general, you want suppressions at the > top of the list instead of the bottom. This is because the event > triggers on the first matching rule. > > > On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <[email protected]> wrote: >> auditctl -a exit,always -S execve -F success=1 >> >> will audit log all successful execve(2) calls by all uids. It will >> incur a (possibly significant) performance hit though. Is there a >> particular binary/user about you're concerned? >> >> >> >> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <[email protected]> wrote: >>> >>> So if i am correct, there is no way we can get the normal user activity >>> through auditd daemon ... >>> >>> Or , please suggest the best way to capture the activity logs for normal >>> users .... >>> >>> >>> >>> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <[email protected]> wrote: >>>> >>>> ----- Original Message ----- >>>> > So my question is why normal users audit event logs cant be captured >>>> > as a "type=USER_TTY" , where as root logs can be captured >>>> > similarway. >>>> USER_TTY is sent by the process that accepts the keyboard input. >>>> Unprivileged users are not allowed to send audit records (otherwise they >>>> would be able to fill the queue and/or the log partition, causing a DoS), >>>> so >>>> the USER_TTY record is discarded. >>>> >>>> Even for unprivileged users you should have the type=TTY records, although >>>> they are noticeably more difficult to interpret. >>>> Mirek >>> >>> >>> >>> >>> -- >>> >>> >>> Thanks & Regards, >>> >>> - Koresh >>> >>> >>> >> >> >> >> -- >> Peter Moody Google 1.650.253.7306 >> Security Engineer pgp:0xC3410038 > > > > -- > Peter Moody Google 1.650.253.7306 > Security Engineer pgp:0xC3410038
-- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
