Differentiating user activity from system activity

In the broadest possible sense, including definitions of 'user activity' and 'system activity', what schemes have people considered for the above? On other unixes, audit events have an associated 'terminal'. On the face of it, this seems like a reasonable differentiator. I.e. a 'user' process has a terminal, a 'system' process does not. Is this any good? On Linux we don't record a terminal. How about a non-default auid? What about system daemons restarted by an administrator? How about SELinux? Your thoughts appreciated, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490