filtering by auid
David Woodhouse
dwmw2 at infradead.org
Wed Jun 22 06:57:00 UTC 2005
On Tue, 2005-06-21 at 18:14 -0500, Debora Velarde wrote:
> Content-type: text/html; charset=US-ASCII
> Content-Disposition: inline
>
> <html><body><p>I just updated my system to kernel.64 and audit 0.9.10.
> <br>I am still not able to filter user messages by auid.<br>
> Is this still a ToDo? Or should this be working now and something is
> wrong in my setup?<br><br>Thanks,<br>debbie</body></html>
The default is that user messages are passed on. You need to insert a
rule which causes them to be denied -- so if you want to cause them to
be passed through only for one specific loginuid, you'd do something
like this:
auditctl -a user,never -F loginuid!=$LOGINUID
auditctl -a user,always -F loginuid=$LOGINUID
(I'm not sure if 'user' is the name that Steve actually chose when
adding this functionality to auditctl, but I strongly suspect that'll be
the case.)
Please don't send HTML mail.
--
dwmw2
More information about the Linux-audit
mailing list