USER messages - default behavior
Since we will soon be able to filter USER messages by auid, I have a
question about what the default behavior will be.
Currently, all USER messages are captured by default, will this remain
true? Or will there be a new auditctl rule to
turn on or off auditing of USER messages, similar to how we have "-S all"
for syscalls?
Once we are able to audit by auid, will we then audit all USER messages
unless the auid of the
USER message matches a filter rule such as "auditctl -a exit,always -F
auid!=<auid>"?
Thanks,
debbie
Attachments:
- attachment.html (text/html — 689 bytes)