From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: Differentiating user activity from system activity Date: Tue, 10 Mar 2009 18:05:14 +0000 Message-ID: <1236708314.3386.26.camel@localhost.localdomain> References: <1236634929.24497.65.camel@localhost.localdomain> <200903101152.36796.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200903101152.36796.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, 2009-03-10 at 11:52 -0400, Steve Grubb wrote: > On Monday 09 March 2009 05:42:09 pm Matthew Booth wrote: > > On Linux we don't record a terminal. > > We do record terminal info in the tty & term fields. Additionally, if the auid > and ses fields are -1, you know its a process that was descended from init. > If they have something in them, then it was descended from a login session. I should have made this clear: the principal target is RHEL 4, although RHEL 5 features are worth noting. Do these fields exists in RHEL 5? > > What about system daemons restarted by an administrator? > > They would inherit the admin's environment and identifiers. Is that something you've ever given any thought to? This could be quite problematic in a number of situations. I suspect SELinux would be the answer here. > > How about SELinux? > > Not sure how this applies. This would be RHEL 5 only, but I was thinking something along the lines of differentiating based on SELinux context. Matt