[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

USER messages - default behavior



Since we will soon be able to filter USER messages by auid, I have a question about what the default behavior will be.
Currently, all USER messages are captured by default, will this remain true?  Or will there be a new auditctl rule to
turn on or off auditing of USER messages, similar to how we have "-S all" for syscalls?

Once we are able to audit by auid, will we then audit all USER messages unless the auid of the
USER message matches a filter rule such as "auditctl -a exit,always -F auid!=<auid>"?

Thanks,
debbie


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]