USER messages - default behavior
Debora Velarde
dvelarde at us.ibm.com
Thu Jun 16 18:09:11 UTC 2005
Since we will soon be able to filter USER messages by auid, I have a
question about what the default behavior will be.
Currently, all USER messages are captured by default, will this remain
true? Or will there be a new auditctl rule to
turn on or off auditing of USER messages, similar to how we have "-S all"
for syscalls?
Once we are able to audit by auid, will we then audit all USER messages
unless the auid of the
USER message matches a filter rule such as "auditctl -a exit,always -F
auid!=<auid>"?
Thanks,
debbie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050616/e0fbabc8/attachment.htm>
More information about the Linux-audit
mailing list