How can we exclude results from users with tty=(none) in auditd? The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsHow to log all system calls made by a process and all its descendants with auditdHow can I live-change the TTY rows and columns?How to disable useless “audit success” log entries in dmesgHow to exclude auditd messages from dmesg and only log them in /var/log/audit.logHow can I get auditd to report on ONLY the rules I specify with auditctl? (Linux)Why does linux audit daemon restart periodically with the following log?How can I scroll up in tty?How do I differentiate between, xterm and firefox, if both call syscall=socketcall(recvmsg)How to capture ssh commands on the fly with auditdhow to extracting only few records from audit.log

What do you call a plan that's an alternative plan in case your initial plan fails?

Searching for a differential characteristic (differential cryptanalysis)

Make it rain characters

Arduino Pro Micro - switch off LEDs

Cooking pasta in a water boiler

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

What is special about square numbers here?

How does ice melt when immersed in water?

What information about me do stores get via my credit card?

Why is superheterodyning better than direct conversion?

Do warforged have souls?

Does Parliament need to approve the new Brexit delay to 31 October 2019?

Wall plug outlet change

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

Did the new image of black hole confirm the general theory of relativity?

Derivation tree not rendering

Is every episode of "Where are my Pants?" identical?

Is above average number of years spent on PhD considered a red flag in future academia or industry positions?

Match Roman Numerals

Create an outline of font

Working through the single responsibility principle (SRP) in Python when calls are expensive

What was the last x86 CPU that did not have the x87 floating-point unit built in?

What is this lever in Argentinian toilets?

How do I add random spotting to the same face in cycles?



How can we exclude results from users with tty=(none) in auditd?



The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election ResultsHow to log all system calls made by a process and all its descendants with auditdHow can I live-change the TTY rows and columns?How to disable useless “audit success” log entries in dmesgHow to exclude auditd messages from dmesg and only log them in /var/log/audit.logHow can I get auditd to report on ONLY the rules I specify with auditctl? (Linux)Why does linux audit daemon restart periodically with the following log?How can I scroll up in tty?How do I differentiate between, xterm and firefox, if both call syscall=socketcall(recvmsg)How to capture ssh commands on the fly with auditdhow to extracting only few records from audit.log



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















Is there any way to exclude the event records having tty=(none)



I have tried many ways of adding rule but nothing worked out.
This is my current log file:



 > > type=SYSCALL msg=audit(1554390377.124:5): arch=40000003 syscall=11
> > success=yes exit=0 a0=810cf88 a1=810bd88 a2=80f5008 a3=810bd88 items=2
> > ppid=9991 pid=10497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="date"
> > exe="/bin/busybox.nosuid" key=(null)
>
> > type=EXECVE msg=audit(1554390377.124:5): argc=2 a0="date" a1="+%m%d%y-%H:%M:%S:%N"
>
> > type=CWD msg=audit(1554390377.124:5): cwd="/" type=PATH
> > msg=audit(1554390377.124:5): item=0 name="/bin/date" inode=1538
> > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
> >
> > type=PATH msg=audit(1554390377.124:5): item=1 name=(null) inode=969
> > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
>
> > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
> > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
> > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
> > exe="/bin/busybox.nosuid" key=(null)
> > type=EXECVE
> > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
> > type=CWD msg=audit(1554390389.524:36): cwd="/"


I need only the following lines in log file where tty=pts0/pts[any number]:



> type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
> success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
> ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
> exe="/bin/busybox.nosuid" key=(null)
> type=EXECVE
> msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
> type=CWD msg=audit(1554390389.524:36): cwd="/"
> type=PATH
> msg=audit(1554390389.524:36): item=0 name="/bin/cat" inode=1538
> dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
> type=PATH msg=audit(1554390389.524:36): item=1 name=(null) inode=969
> dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL









share|improve this question




























    0















    Is there any way to exclude the event records having tty=(none)



    I have tried many ways of adding rule but nothing worked out.
    This is my current log file:



     > > type=SYSCALL msg=audit(1554390377.124:5): arch=40000003 syscall=11
    > > success=yes exit=0 a0=810cf88 a1=810bd88 a2=80f5008 a3=810bd88 items=2
    > > ppid=9991 pid=10497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
    > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="date"
    > > exe="/bin/busybox.nosuid" key=(null)
    >
    > > type=EXECVE msg=audit(1554390377.124:5): argc=2 a0="date" a1="+%m%d%y-%H:%M:%S:%N"
    >
    > > type=CWD msg=audit(1554390377.124:5): cwd="/" type=PATH
    > > msg=audit(1554390377.124:5): item=0 name="/bin/date" inode=1538
    > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    > >
    > > type=PATH msg=audit(1554390377.124:5): item=1 name=(null) inode=969
    > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    >
    > > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
    > > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
    > > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
    > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
    > > exe="/bin/busybox.nosuid" key=(null)
    > > type=EXECVE
    > > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
    > > type=CWD msg=audit(1554390389.524:36): cwd="/"


    I need only the following lines in log file where tty=pts0/pts[any number]:



    > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
    > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
    > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
    > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
    > exe="/bin/busybox.nosuid" key=(null)
    > type=EXECVE
    > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
    > type=CWD msg=audit(1554390389.524:36): cwd="/"
    > type=PATH
    > msg=audit(1554390389.524:36): item=0 name="/bin/cat" inode=1538
    > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    > type=PATH msg=audit(1554390389.524:36): item=1 name=(null) inode=969
    > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL









    share|improve this question
























      0












      0








      0








      Is there any way to exclude the event records having tty=(none)



      I have tried many ways of adding rule but nothing worked out.
      This is my current log file:



       > > type=SYSCALL msg=audit(1554390377.124:5): arch=40000003 syscall=11
      > > success=yes exit=0 a0=810cf88 a1=810bd88 a2=80f5008 a3=810bd88 items=2
      > > ppid=9991 pid=10497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
      > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="date"
      > > exe="/bin/busybox.nosuid" key=(null)
      >
      > > type=EXECVE msg=audit(1554390377.124:5): argc=2 a0="date" a1="+%m%d%y-%H:%M:%S:%N"
      >
      > > type=CWD msg=audit(1554390377.124:5): cwd="/" type=PATH
      > > msg=audit(1554390377.124:5): item=0 name="/bin/date" inode=1538
      > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
      > >
      > > type=PATH msg=audit(1554390377.124:5): item=1 name=(null) inode=969
      > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
      >
      > > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
      > > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
      > > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
      > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
      > > exe="/bin/busybox.nosuid" key=(null)
      > > type=EXECVE
      > > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
      > > type=CWD msg=audit(1554390389.524:36): cwd="/"


      I need only the following lines in log file where tty=pts0/pts[any number]:



      > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
      > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
      > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
      > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
      > exe="/bin/busybox.nosuid" key=(null)
      > type=EXECVE
      > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
      > type=CWD msg=audit(1554390389.524:36): cwd="/"
      > type=PATH
      > msg=audit(1554390389.524:36): item=0 name="/bin/cat" inode=1538
      > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
      > type=PATH msg=audit(1554390389.524:36): item=1 name=(null) inode=969
      > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL









      share|improve this question














      Is there any way to exclude the event records having tty=(none)



      I have tried many ways of adding rule but nothing worked out.
      This is my current log file:



       > > type=SYSCALL msg=audit(1554390377.124:5): arch=40000003 syscall=11
      > > success=yes exit=0 a0=810cf88 a1=810bd88 a2=80f5008 a3=810bd88 items=2
      > > ppid=9991 pid=10497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
      > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="date"
      > > exe="/bin/busybox.nosuid" key=(null)
      >
      > > type=EXECVE msg=audit(1554390377.124:5): argc=2 a0="date" a1="+%m%d%y-%H:%M:%S:%N"
      >
      > > type=CWD msg=audit(1554390377.124:5): cwd="/" type=PATH
      > > msg=audit(1554390377.124:5): item=0 name="/bin/date" inode=1538
      > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
      > >
      > > type=PATH msg=audit(1554390377.124:5): item=1 name=(null) inode=969
      > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
      >
      > > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
      > > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
      > > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
      > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
      > > exe="/bin/busybox.nosuid" key=(null)
      > > type=EXECVE
      > > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
      > > type=CWD msg=audit(1554390389.524:36): cwd="/"


      I need only the following lines in log file where tty=pts0/pts[any number]:



      > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
      > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
      > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
      > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
      > exe="/bin/busybox.nosuid" key=(null)
      > type=EXECVE
      > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
      > type=CWD msg=audit(1554390389.524:36): cwd="/"
      > type=PATH
      > msg=audit(1554390389.524:36): item=0 name="/bin/cat" inode=1538
      > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
      > type=PATH msg=audit(1554390389.524:36): item=1 name=(null) inode=969
      > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL






      linux tty linux-audit






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 10 at 6:19









      fox18fox18

      54




      54




















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511593%2fhow-can-we-exclude-results-from-users-with-tty-none-in-auditd%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511593%2fhow-can-we-exclude-results-from-users-with-tty-none-in-auditd%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          getting Checkpoint VPN SSL Network Extender working in the command lineHow to connect to CheckPoint VPN on Ubuntu 18.04LTS?Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayVPN SSL Network Extender in FirefoxLinux Checkpoint SNX tool configuration issuesCheck Point - Connect under Linux - snx + OTPSNX VPN Ububuntu 18.XXUsing Checkpoint VPN SSL Network Extender CLI with certificateVPN with network manager (nm-applet) is not workingWill the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayImport VPN config files to NetworkManager from command lineTrouble connecting to VPN using network-manager, while command line worksStart a VPN connection with PPTP protocol on command linestarting a docker service daemon breaks the vpn networkCan't connect to vpn with Network-managerVPN SSL Network Extender in FirefoxUsing Checkpoint VPN SSL Network Extender CLI with certificate

          Cannot Extend partition with GParted The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsCan't increase partition size with GParted?GParted doesn't recognize the unallocated space after my current partitionWhat is the best way to add unallocated space located before to Ubuntu 12.04 partition with GParted live?I can't figure out how to extend my Arch home partition into free spaceGparted Linux Mint 18.1 issueTrying to extend but swap partition is showing as Unknown in Gparted, shows proper from fdiskRearrange partitions in gparted to extend a partitionUnable to extend partition even though unallocated space is next to it using GPartedAllocate free space to root partitiongparted: how to merge unallocated space with a partition

          Marilyn Monroe Ny fiainany manokana | Jereo koa | Meny fitetezanafanitarana azy.