Differentiating user activity from system activity
Matthew Booth
mbooth at redhat.com
Mon Mar 9 21:42:09 UTC 2009
In the broadest possible sense, including definitions of 'user activity'
and 'system activity', what schemes have people considered for the
above?
On other unixes, audit events have an associated 'terminal'. On the face
of it, this seems like a reasonable differentiator. I.e. a 'user'
process has a terminal, a 'system' process does not. Is this any good?
On Linux we don't record a terminal. How about a non-default auid? What
about system daemons restarted by an administrator? How about SELinux?
Your thoughts appreciated,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
More information about the Linux-audit
mailing list