How can we exclude results from users with tty=(none) in auditd? The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsHow to log all system calls made by a process and all its descendants with auditdHow can I live-change the TTY rows and columns?How to disable useless “audit success” log entries in dmesgHow to exclude auditd messages from dmesg and only log them in /var/log/audit.logHow can I get auditd to report on ONLY the rules I specify with auditctl? (Linux)Why does linux audit daemon restart periodically with the following log?How can I scroll up in tty?How do I differentiate between, xterm and firefox, if both call syscall=socketcall(recvmsg)How to capture ssh commands on the fly with auditdhow to extracting only few records from audit.log

What do you call a plan that's an alternative plan in case your initial plan fails?

Searching for a differential characteristic (differential cryptanalysis)

Make it rain characters

Arduino Pro Micro - switch off LEDs

Cooking pasta in a water boiler

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

What is special about square numbers here?

How does ice melt when immersed in water?

What information about me do stores get via my credit card?

Why is superheterodyning better than direct conversion?

Do warforged have souls?

Does Parliament need to approve the new Brexit delay to 31 October 2019?

Wall plug outlet change

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

Did the new image of black hole confirm the general theory of relativity?

Derivation tree not rendering

Is every episode of "Where are my Pants?" identical?

Is above average number of years spent on PhD considered a red flag in future academia or industry positions?

Match Roman Numerals

Create an outline of font

Working through the single responsibility principle (SRP) in Python when calls are expensive

What was the last x86 CPU that did not have the x87 floating-point unit built in?

What is this lever in Argentinian toilets?

How do I add random spotting to the same face in cycles?



How can we exclude results from users with tty=(none) in auditd?



The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election ResultsHow to log all system calls made by a process and all its descendants with auditdHow can I live-change the TTY rows and columns?How to disable useless “audit success” log entries in dmesgHow to exclude auditd messages from dmesg and only log them in /var/log/audit.logHow can I get auditd to report on ONLY the rules I specify with auditctl? (Linux)Why does linux audit daemon restart periodically with the following log?How can I scroll up in tty?How do I differentiate between, xterm and firefox, if both call syscall=socketcall(recvmsg)How to capture ssh commands on the fly with auditdhow to extracting only few records from audit.log



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















Is there any way to exclude the event records having tty=(none)



I have tried many ways of adding rule but nothing worked out.
This is my current log file:



 > > type=SYSCALL msg=audit(1554390377.124:5): arch=40000003 syscall=11
 > > success=yes exit=0 a0=810cf88 a1=810bd88 a2=80f5008 a3=810bd88 items=2
 > > ppid=9991 pid=10497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
 > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="date"
 > > exe="/bin/busybox.nosuid" key=(null) 
 > 
 > > type=EXECVE msg=audit(1554390377.124:5): argc=2 a0="date" a1="+%m%d%y-%H:%M:%S:%N"
 > 
 > > type=CWD msg=audit(1554390377.124:5): cwd="/" type=PATH
 > > msg=audit(1554390377.124:5): item=0 name="/bin/date" inode=1538
 > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
 > > 
 > > type=PATH msg=audit(1554390377.124:5): item=1 name=(null) inode=969
 > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
 > 
 > > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
 > > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
 > > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
 > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
 > > exe="/bin/busybox.nosuid" key=(null) 
 > > type=EXECVE
 > > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
 > > type=CWD msg=audit(1554390389.524:36): cwd="/"


I need only the following lines in log file where tty=pts0/pts[any number]:



> type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
> success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
> ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
> exe="/bin/busybox.nosuid" key=(null) 
> type=EXECVE
> msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
> type=CWD msg=audit(1554390389.524:36): cwd="/"
> type=PATH
> msg=audit(1554390389.524:36): item=0 name="/bin/cat" inode=1538
> dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
> type=PATH msg=audit(1554390389.524:36): item=1 name=(null) inode=969
> dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL





linux tty linux-audit







share|improve this question




























    0















    Is there any way to exclude the event records having tty=(none)



    I have tried many ways of adding rule but nothing worked out.
    This is my current log file:



     > > type=SYSCALL msg=audit(1554390377.124:5): arch=40000003 syscall=11
     > > success=yes exit=0 a0=810cf88 a1=810bd88 a2=80f5008 a3=810bd88 items=2
     > > ppid=9991 pid=10497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
     > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="date"
     > > exe="/bin/busybox.nosuid" key=(null) 
     > 
     > > type=EXECVE msg=audit(1554390377.124:5): argc=2 a0="date" a1="+%m%d%y-%H:%M:%S:%N"
     > 
     > > type=CWD msg=audit(1554390377.124:5): cwd="/" type=PATH
     > > msg=audit(1554390377.124:5): item=0 name="/bin/date" inode=1538
     > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
     > > 
     > > type=PATH msg=audit(1554390377.124:5): item=1 name=(null) inode=969
     > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
     > 
     > > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
     > > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
     > > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
     > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
     > > exe="/bin/busybox.nosuid" key=(null) 
     > > type=EXECVE
     > > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
     > > type=CWD msg=audit(1554390389.524:36): cwd="/"


    I need only the following lines in log file where tty=pts0/pts[any number]:



    > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
    > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
    > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
    > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
    > exe="/bin/busybox.nosuid" key=(null) 
    > type=EXECVE
    > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
    > type=CWD msg=audit(1554390389.524:36): cwd="/"
    > type=PATH
    > msg=audit(1554390389.524:36): item=0 name="/bin/cat" inode=1538
    > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    > type=PATH msg=audit(1554390389.524:36): item=1 name=(null) inode=969
    > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL





    linux tty linux-audit







    share|improve this question
























      0












      0








      0








      Is there any way to exclude the event records having tty=(none)



      I have tried many ways of adding rule but nothing worked out.
      This is my current log file:



       > > type=SYSCALL msg=audit(1554390377.124:5): arch=40000003 syscall=11
       > > success=yes exit=0 a0=810cf88 a1=810bd88 a2=80f5008 a3=810bd88 items=2
       > > ppid=9991 pid=10497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
       > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="date"
       > > exe="/bin/busybox.nosuid" key=(null) 
       > 
       > > type=EXECVE msg=audit(1554390377.124:5): argc=2 a0="date" a1="+%m%d%y-%H:%M:%S:%N"
       > 
       > > type=CWD msg=audit(1554390377.124:5): cwd="/" type=PATH
       > > msg=audit(1554390377.124:5): item=0 name="/bin/date" inode=1538
       > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
       > > 
       > > type=PATH msg=audit(1554390377.124:5): item=1 name=(null) inode=969
       > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
       > 
       > > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
       > > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
       > > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
       > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
       > > exe="/bin/busybox.nosuid" key=(null) 
       > > type=EXECVE
       > > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
       > > type=CWD msg=audit(1554390389.524:36): cwd="/"


      I need only the following lines in log file where tty=pts0/pts[any number]:



      > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
      > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
      > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
      > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
      > exe="/bin/busybox.nosuid" key=(null) 
      > type=EXECVE
      > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
      > type=CWD msg=audit(1554390389.524:36): cwd="/"
      > type=PATH
      > msg=audit(1554390389.524:36): item=0 name="/bin/cat" inode=1538
      > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
      > type=PATH msg=audit(1554390389.524:36): item=1 name=(null) inode=969
      > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL





      linux tty linux-audit







      share|improve this question














      Is there any way to exclude the event records having tty=(none)



      I have tried many ways of adding rule but nothing worked out.
      This is my current log file:



       > > type=SYSCALL msg=audit(1554390377.124:5): arch=40000003 syscall=11
       > > success=yes exit=0 a0=810cf88 a1=810bd88 a2=80f5008 a3=810bd88 items=2
       > > ppid=9991 pid=10497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
       > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="date"
       > > exe="/bin/busybox.nosuid" key=(null) 
       > 
       > > type=EXECVE msg=audit(1554390377.124:5): argc=2 a0="date" a1="+%m%d%y-%H:%M:%S:%N"
       > 
       > > type=CWD msg=audit(1554390377.124:5): cwd="/" type=PATH
       > > msg=audit(1554390377.124:5): item=0 name="/bin/date" inode=1538
       > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
       > > 
       > > type=PATH msg=audit(1554390377.124:5): item=1 name=(null) inode=969
       > > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
       > 
       > > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
       > > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
       > > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
       > > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
       > > exe="/bin/busybox.nosuid" key=(null) 
       > > type=EXECVE
       > > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
       > > type=CWD msg=audit(1554390389.524:36): cwd="/"


      I need only the following lines in log file where tty=pts0/pts[any number]:



      > type=SYSCALL msg=audit(1554390389.524:36): arch=40000003 syscall=11
      > success=yes exit=0 a0=80f68a8 a1=80f6ae8 a2=80f3008 a3=80f6ae8 items=2
      > ppid=9906 pid=10592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
      > egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="cat"
      > exe="/bin/busybox.nosuid" key=(null) 
      > type=EXECVE
      > msg=audit(1554390389.524:36): argc=2 a0="cat" a1="/tmp/cpuinfo"
      > type=CWD msg=audit(1554390389.524:36): cwd="/"
      > type=PATH
      > msg=audit(1554390389.524:36): item=0 name="/bin/cat" inode=1538
      > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
      > type=PATH msg=audit(1554390389.524:36): item=1 name=(null) inode=969
      > dev=b3:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL





      linux tty linux-audit




      linux tty linux-audit






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 10 at 6:19









      fox18fox18

      54




      54




















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511593%2fhow-can-we-exclude-results-from-users-with-tty-none-in-auditd%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511593%2fhow-can-we-exclude-results-from-users-with-tty-none-in-auditd%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          getting Checkpoint VPN SSL Network Extender working in the command lineHow to connect to CheckPoint VPN on Ubuntu 18.04LTS?Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayVPN SSL Network Extender in FirefoxLinux Checkpoint SNX tool configuration issuesCheck Point - Connect under Linux - snx + OTPSNX VPN Ububuntu 18.XXUsing Checkpoint VPN SSL Network Extender CLI with certificateVPN with network manager (nm-applet) is not workingWill the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayImport VPN config files to NetworkManager from command lineTrouble connecting to VPN using network-manager, while command line worksStart a VPN connection with PPTP protocol on command linestarting a docker service daemon breaks the vpn networkCan't connect to vpn with Network-managerVPN SSL Network Extender in FirefoxUsing Checkpoint VPN SSL Network Extender CLI with certificate

          Image
          If human space travel is limited by the G force vulnerability, is there a way to counter G forces? Did Shadowfax go to Valinor? Do I have a twin with permutated remainders? Blender 2.8 I can't see vertices, edges or faces in edit mode 1960's book about a plague that kills all white people How can I make my BBEG immortal short of making them a Lich or Vampire? Alternative to sending password over mail? Is it inappropriate for a student to attend their mentor's dissertation defense? Why is Collection not simply treated as Collection<?> Took a trip to a parallel universe, need help deciphering Assassin's bullet with mercury Why is it a bad idea to hire a hitman to eliminate most corrupt politicians? I Accidentally Deleted a Stock Terminal Theme Is there a hemisphere-neutral way of specifying a season? What about the virus in 12 Monkeys? Why can't we play rap on piano? Arrow those variables! Today is the Center Modeling an IP Ad
          Read more

          Cannot Extend partition with GParted The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsCan't increase partition size with GParted?GParted doesn't recognize the unallocated space after my current partitionWhat is the best way to add unallocated space located before to Ubuntu 12.04 partition with GParted live?I can't figure out how to extend my Arch home partition into free spaceGparted Linux Mint 18.1 issueTrying to extend but swap partition is showing as Unknown in Gparted, shows proper from fdiskRearrange partitions in gparted to extend a partitionUnable to extend partition even though unallocated space is next to it using GPartedAllocate free space to root partitiongparted: how to merge unallocated space with a partition

          Image
          Make it rain characters Keeping a retro style to sci-fi spaceships? How to split my screen on my Macbook Air? How can I define good in a religion that claims no moral authority? does high air pressure throw off wheel balance? Scientific Reports - Significant Figures Relations between two reciprocal partial derivatives? How to delete random line from file using Unix command? How did passengers keep warm on sail ships? How are presidential pardons supposed to be used? Are my PIs rude or am I just being too sensitive? He got a vote 80% that of Emmanuel Macron’s Change bounding box of math glyphs in LuaTeX Match Roman Numerals Was credit for the black hole image misattributed? How to pronounce 1ターン? how can a perfect fourth interval be considered either consonant or dissonant? Working through the single responsibility principle (SRP) in Python when calls are expensive High Q peak in frequency response means what in time domain? Would an alien lifeform
          Read more

          NetworkManager fails with “Could not find source connection”Trouble connecting to VPN using network-manager, while command line worksHow can I be notified about state changes to a VPN adapterBacktrack 5 R3 - Refuses to connect to VPNFeed all traffic through OpenVPN for a specific network namespace onlyRun daemon on startup in Debian once openvpn connection establishedpfsense tcp connection between openvpn and lan is brokenInternet connection problem with web browsers onlyWhy does NetworkManager explicitly support tun/tap devices?Browser issues with VPNTwo IP addresses assigned to the same network card - OpenVPN issues?Cannot connect to WiFi with nmcli, although secrets are provided

          Image
          What typically incentivizes a professor to change jobs to a lower ranking university? Reorder a Master List Based on a Reordered Subset How does one intimidate enemies without having the capacity for violence? Is it possible to do 50 km distance without any previous training? Java Casting: Java 11 throws LambdaConversionException while 1.8 does not How much RAM could one put in a typical 80386 setup? Is it legal for company to use my work email to pretend I still work there? Are astronomers waiting to see something in an image from a gravitational lens that they've already seen in an adjacent image? How is it possible to have an ability score that is less than 3? Why does Kotter return in Welcome Back Kotter? Can I ask the recruiters in my resume to put the reason why I am rejected? Why is consensus so controversial in Britain? Which country benefited the most from UN Security Council vetoes? Do infinite dimensional systems make sense? What's the poi
          Read more