auditing activity where uid==0

[Rich Whitcroft]

Hi,

Here's my current rule, which is working, but is producing a lot of 
extra log that I'd like to suppress:

-a entry,always -S execve -F euid=0

I'm wondering if there's a way to limit this to only audit events that 
happen from a real tty, e.g. a human user. I'm getting lots of 
extraneous chatter from sshd, automount, and cron, all of which are from 
tty=(none), but I'm not sure it's possible to filter on tty...

Thanks