From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Differentiating user activity from system activity
Date: Mon, 09 Mar 2009 21:42:09 +0000
Message-ID: <1236634929.24497.65.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from [10.33.6.4] (vpn-6-4.fab.redhat.com [10.33.6.4])
	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n29LgBJF017760
	for <linux-audit@redhat.com>; Mon, 9 Mar 2009 17:42:12 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

In the broadest possible sense, including definitions of 'user activity'
and 'system activity', what schemes have people considered for the
above?

On other unixes, audit events have an associated 'terminal'. On the face
of it, this seems like a reasonable differentiator. I.e. a 'user'
process has a terminal, a 'system' process does not. Is this any good?

On Linux we don't record a terminal. How about a non-default auid? What
about system daemons restarted by an administrator? How about SELinux?

Your thoughts appreciated,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490