[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Differentiating user activity from system activity



On Monday 09 March 2009 05:42:09 pm Matthew Booth wrote:
> On Linux we don't record a terminal. 

We do record terminal info in the tty & term fields. Additionally, if the auid 
and ses fields are -1, you know its a process that was descended from init. 
If they have something in them, then it was descended from a login session.

> What about system daemons restarted by an administrator?

They would inherit the admin's environment and identifiers.

> How about SELinux? 

Not sure how this applies.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]