From mboxrd@z Thu Jan  1 00:00:00 1970
From: Rich Whitcroft <rwhitcro@uwo.ca>
Subject: auditing activity where uid==0
Date: Mon, 19 Oct 2009 11:02:33 -0400
Message-ID: <4ADC7F89.5030501@uwo.ca>
Mime-Version: 1.0
Content-Type: text/plain; CHARSET=US-ASCII; format=flowed
Content-Transfer-Encoding: 7BIT
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com
	[10.5.110.13])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id n9JF2ktj021414
	for <linux-audit@redhat.com>; Mon, 19 Oct 2009 11:02:46 -0400
Received: from uwo.ca (v320-146-lb.its.uwo.ca [129.100.74.146])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n9JF2YFg032248
	for <linux-audit@redhat.com>; Mon, 19 Oct 2009 11:02:35 -0400
Received: from zeppo.mail.uwo.pri (salk.mail.uwo.pri [172.29.32.41])
	by zeppo.mail.uwo.pri
	(Sun Java(tm) System Messaging Server 7u2-7.02 64bit (built Apr 16
	2009)) with ESMTP id <0KRR00FIEOG9CN60@zeppo.mail.uwo.pri> for
	linux-audit@redhat.com; Mon, 19 Oct 2009 11:02:33 -0400 (EDT)
Received: from [129.100.6.31] ([unknown] [129.100.6.31])
	by zeppo.mail.uwo.pri (Sun Java(tm) System Messaging Server 7u2-7.02
	64bit (built Apr 16 2009)) with ESMTP id
	<0KRR00GWGOG9IG40@zeppo.mail.uwo.pri> for
	linux-audit@redhat.com; Mon, 19 Oct 2009 11:02:33 -0400 (EDT)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

Here's my current rule, which is working, but is producing a lot of 
extra log that I'd like to suppress:

-a entry,always -S execve -F euid=0

I'm wondering if there's a way to limit this to only audit events that 
happen from a real tty, e.g. a human user. I'm getting lots of 
extraneous chatter from sshd, automount, and cron, all of which are from 
tty=(none), but I'm not sure it's possible to filter on tty...

Thanks