Auditd filter
Hello,
I'm trying to establish RHEL auditing with auditd.
We would like to log only commands of users connected over ssh and executed as root user. For start I'm testing rules:
-a always,exit -F arch=b64 -S execve -F auid>1000 -F auid<99000000 -F uid=0 -F key=root-commands
-a always,exit -F arch=b32 -S execve -F auid>1000 -F auid<99000000 -F uid=0 -F key=root-commands
It all works well, but the problem is that on some servers there was lot of unnecessary logging of events from system activity type=SYSCALL with tty=(none)
I was trying to add filter with tty!=(none), but tty filter is not supported. Is there some other general option to filter out such events? I don't like idea to write custom filter for every server.
Thanks and best regards,
Luka