auditing activity where uid==0
Rich Whitcroft
rwhitcro at uwo.ca
Mon Oct 19 15:02:33 UTC 2009
Hi,
Here's my current rule, which is working, but is producing a lot of
extra log that I'd like to suppress:
-a entry,always -S execve -F euid=0
I'm wondering if there's a way to limit this to only audit events that
happen from a real tty, e.g. a human user. I'm getting lots of
extraneous chatter from sshd, automount, and cron, all of which are from
tty=(none), but I'm not sure it's possible to filter on tty...
Thanks
More information about the Linux-audit
mailing list