auditctl -a exit,always -S execve -F success=1
will audit log all successful execve(2) calls by all uids. It will
incur a (possibly significant) performance hit though. Is there a
particular binary/user about you're concerned?
On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar(a)gmail.com> wrote:
So if i am correct, there is no way we can get the normal user activity
through auditd daemon ...
Or , please suggest the best way to capture the activity logs for normal
users ....
On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr(a)redhat.com> wrote:
>
> ----- Original Message -----
> > So my question is why normal users audit event logs cant be captured
> > as a "type=USER_TTY" , where as root logs can be captured
> > similarway.
> USER_TTY is sent by the process that accepts the keyboard input.
> Unprivileged users are not allowed to send audit records (otherwise they
> would be able to fill the queue and/or the log partition, causing a DoS), so
> the USER_TTY record is discarded.
>
> Even for unprivileged users you should have the type=TTY records, although
> they are noticeably more difficult to interpret.
> Mirek
--
Thanks & Regards,
- Koresh
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038