[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Differentiating user activity from system activity



In the broadest possible sense, including definitions of 'user activity'
and 'system activity', what schemes have people considered for the
above?

On other unixes, audit events have an associated 'terminal'. On the face
of it, this seems like a reasonable differentiator. I.e. a 'user'
process has a terminal, a 'system' process does not. Is this any good?

On Linux we don't record a terminal. How about a non-default auid? What
about system daemons restarted by an administrator? How about SELinux?

Your thoughts appreciated,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]