Since we will soon be able to filter USER messages by auid, I have a question about what the default behavior will be.
Currently, all USER messages are captured by default, will this remain true? Or will there be a new auditctl rule to
turn on or off auditing of USER messages, similar to how we have "-S all" for syscalls?
Once we are able to audit by auid, will we then audit all USER messages unless the auid of the
USER message matches a filter rule such as "auditctl -a exit,always -F auid!=<auid>"?