Help on Audit Rules

Peter Moody pmoody at google.com
Thu Oct 18 15:50:35 UTC 2012 

Whoops, ignore this. I had misread your rules.

On Thu, Oct 18, 2012 at 8:35 AM, Peter Moody <pmoody at google.com> wrote:
> Also, from the auditctl manpage:
>
> The following describes the valid actions for the rule:
>
> never       No audit records will be generated. This can be used to
> suppress event generation. In general, you want suppressions at the
> top of the list instead of the bottom. This is because the event
> triggers on the first matching rule.
>
>
> On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <pmoody at google.com> wrote:
>> auditctl -a exit,always -S execve -F success=1
>>
>> will audit log all successful execve(2) calls by all uids. It will
>> incur a (possibly significant) performance hit though. Is there a
>> particular binary/user about you're concerned?
>>
>>
>>
>> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar at gmail.com> wrote:
>>>
>>> So if i am correct, there is no way we can get the normal user activity
>>> through auditd daemon ...
>>>
>>> Or , please suggest the best way to capture the activity logs for normal
>>> users ....
>>>
>>>
>>>
>>> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr at redhat.com> wrote:
>>>>
>>>> ----- Original Message -----
>>>> > So my question is why normal users audit event logs cant be captured
>>>> > as a "type=USER_TTY" , where as root logs can be captured
>>>> > similarway.
>>>> USER_TTY is sent by the process that accepts the keyboard input.
>>>> Unprivileged users are not allowed to send audit records (otherwise they
>>>> would be able to fill the queue and/or the log partition, causing a DoS), so
>>>> the USER_TTY record is discarded.
>>>>
>>>> Even for unprivileged users you should have the type=TTY records, although
>>>> they are noticeably more difficult to interpret.
>>>>    Mirek
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Thanks & Regards,
>>>
>>> - Koresh
>>>
>>>
>>>
>>
>>
>>
>> --
>> Peter Moody      Google    1.650.253.7306
>> Security Engineer  pgp:0xC3410038
>
>
>
> --
> Peter Moody      Google    1.650.253.7306
> Security Engineer  pgp:0xC3410038



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the Linux-audit mailing list