- Original Message -
So my question is why normal users audit event logs cant be captured
as a type=USER_TTY , where as root logs can be captured
similarway.
USER_TTY is sent by the process that accepts the keyboard input. Unprivileged
users are not allowed to send audit records
So if i am correct, there is no way we can get the normal user activity
through auditd daemon ...
Or , please suggest the best way to capture the activity logs for normal
users
On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac m...@redhat.com wrote:
- Original Message -
So my
auditctl -a exit,always -S execve -F success=1
will audit log all successful execve(2) calls by all uids. It will
incur a (possibly significant) performance hit though. Is there a
particular binary/user about you're concerned?
On Thu, Oct 18, 2012 at 6:35 AM, Koresh... koreshku...@gmail.com
Also, from the auditctl manpage:
The following describes the valid actions for the rule:
never No audit records will be generated. This can be used to
suppress event generation. In general, you want suppressions at the
top of the list instead of the bottom. This is because the event
Whoops, ignore this. I had misread your rules.
On Thu, Oct 18, 2012 at 8:35 AM, Peter Moody pmo...@google.com wrote:
Also, from the auditctl manpage:
The following describes the valid actions for the rule:
never No audit records will be generated. This can be used to
suppress event
On Thursday, October 18, 2012 08:33:59 AM Peter Moody wrote:
auditctl -a exit,always -S execve -F success=1
will audit log all successful execve(2) calls by all uids. It will
incur a (possibly significant) performance hit though. Is there a
particular binary/user about you're concerned?
Hi Team,
I have enabled the audit logs recently ... Currently the auditd daemon is
logging all the event and syscalls done based on default rule set ...
But currently it only record the events done by the root user or by the
sudo ...
Need your help to configure the same for Group wise ... so
What rules are currently installed and what logs are you seeing?
On Oct 17, 2012 5:59 AM, Koresh... koreshku...@gmail.com wrote:
Hi Team,
I have enabled the audit logs recently ... Currently the auditd daemon is
logging all the event and syscalls done based on default rule set ...
But
Hi Peter,
Currently i am tring to achive the same through below configuration on
audit.rules file ...
# Audit all execve calls
-a entry,always -S execve
-a entry,never
-a exclude,always -F msgtype=PATH
-a exclude,always -F msgtype=CWD
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exclude,always