filtering by auid
Loulwa Salem
loulwas at us.ibm.com
Wed Jun 22 18:22:04 UTC 2005
David Woodhouse wrote:
> auditctl -a user,never -F loginuid!=$LOGINUID
> auditctl -a user,always -F loginuid=$LOGINUID
>
The way you mentioned is for User messages filtering on auid. I see in
the man pages for auditctl there is a watch list as well. Can I safely
assume that the method below should filter on loginuid for watches?
auditctl -a watch,never -F auid=$LOGINUID
auditctl -a watch,always -F auid=$LOGINUID
Thanks
- Loulwa
More information about the Linux-audit
mailing list