Differentiating user activity from system activity
Steve Grubb
sgrubb at redhat.com
Tue Mar 10 15:52:36 UTC 2009
On Monday 09 March 2009 05:42:09 pm Matthew Booth wrote:
> On Linux we don't record a terminal.
We do record terminal info in the tty & term fields. Additionally, if the auid
and ses fields are -1, you know its a process that was descended from init.
If they have something in them, then it was descended from a login session.
> What about system daemons restarted by an administrator?
They would inherit the admin's environment and identifiers.
> How about SELinux?
Not sure how this applies.
-Steve
More information about the Linux-audit
mailing list