Help on Audit Rules
Peter Moody
pmoody at google.com
Thu Oct 18 15:33:59 UTC 2012
auditctl -a exit,always -S execve -F success=1
will audit log all successful execve(2) calls by all uids. It will
incur a (possibly significant) performance hit though. Is there a
particular binary/user about you're concerned?
On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar at gmail.com> wrote:
>
> So if i am correct, there is no way we can get the normal user activity
> through auditd daemon ...
>
> Or , please suggest the best way to capture the activity logs for normal
> users ....
>
>
>
> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr at redhat.com> wrote:
>>
>> ----- Original Message -----
>> > So my question is why normal users audit event logs cant be captured
>> > as a "type=USER_TTY" , where as root logs can be captured
>> > similarway.
>> USER_TTY is sent by the process that accepts the keyboard input.
>> Unprivileged users are not allowed to send audit records (otherwise they
>> would be able to fill the queue and/or the log partition, causing a DoS), so
>> the USER_TTY record is discarded.
>>
>> Even for unprivileged users you should have the type=TTY records, although
>> they are noticeably more difficult to interpret.
>> Mirek
>
>
>
>
> --
>
>
> Thanks & Regards,
>
> - Koresh
>
>
>
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
More information about the Linux-audit
mailing list