Re: filtering by auid
David Woodhouse wrote:
auditctl -a user,never -F loginuid!=$LOGINUID
auditctl -a user,always -F loginuid=$LOGINUID
The way you mentioned is for User messages filtering on auid. I see in
the man pages for auditctl there is a watch list as well. Can I safely
assume that the method below should filter on loginuid for watches?
auditctl -a watch,never -F auid=$LOGINUID
auditctl -a watch,always -F auid=$LOGINUID
Thanks
- Loulwa