Re: Differentiating user activity from system activity
On Tue, 2009-03-10 at 11:52 -0400, Steve Grubb wrote:
On Monday 09 March 2009 05:42:09 pm Matthew Booth wrote:
> On Linux we don't record a terminal.
We do record terminal info in the tty & term fields. Additionally, if the auid
and ses fields are -1, you know its a process that was descended from init.
If they have something in them, then it was descended from a login session.
I should have made this clear: the principal target is RHEL 4, although
RHEL 5 features are worth noting. Do these fields exists in RHEL 5?
> What about system daemons restarted by an administrator?
They would inherit the admin's environment and identifiers.
Is that something you've ever given any thought to? This could be quite
problematic in a number of situations. I suspect SELinux would be the
answer here.
> How about SELinux?
Not sure how this applies.
This would be RHEL 5 only, but I was thinking something along the lines
of differentiating based on SELinux context.
Matt