Help on Audit Rules
Peter Moody
pmoody at google.com
Thu Oct 18 15:35:26 UTC 2012
Also, from the auditctl manpage:
The following describes the valid actions for the rule:
never No audit records will be generated. This can be used to
suppress event generation. In general, you want suppressions at the
top of the list instead of the bottom. This is because the event
triggers on the first matching rule.
On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <pmoody at google.com> wrote:
> auditctl -a exit,always -S execve -F success=1
>
> will audit log all successful execve(2) calls by all uids. It will
> incur a (possibly significant) performance hit though. Is there a
> particular binary/user about you're concerned?
>
>
>
> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar at gmail.com> wrote:
>>
>> So if i am correct, there is no way we can get the normal user activity
>> through auditd daemon ...
>>
>> Or , please suggest the best way to capture the activity logs for normal
>> users ....
>>
>>
>>
>> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr at redhat.com> wrote:
>>>
>>> ----- Original Message -----
>>> > So my question is why normal users audit event logs cant be captured
>>> > as a "type=USER_TTY" , where as root logs can be captured
>>> > similarway.
>>> USER_TTY is sent by the process that accepts the keyboard input.
>>> Unprivileged users are not allowed to send audit records (otherwise they
>>> would be able to fill the queue and/or the log partition, causing a DoS), so
>>> the USER_TTY record is discarded.
>>>
>>> Even for unprivileged users you should have the type=TTY records, although
>>> they are noticeably more difficult to interpret.
>>> Mirek
>>
>>
>>
>>
>> --
>>
>>
>> Thanks & Regards,
>>
>> - Koresh
>>
>>
>>
>
>
>
> --
> Peter Moody Google 1.650.253.7306
> Security Engineer pgp:0xC3410038
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
More information about the Linux-audit
mailing list