Some security requirements include auditing events by users and root. So the line might include something like:
-F auid=0 -F auid>=500 -F auid!=4294967295 My question is, if you don't include that phrase will the audit system still get everything and not incur a serious performance hit. Effectively it will audit everything for users 1-499, the usual system accounts. Leam -- Mind on a Mission <http://leamhall.blogspot.com/>
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
