Hello I see I can only see root user only in menu User TTY,
is this expected?
aureport --tty shows only this for 1002 uid:
`406. 05/05/2020 17:23:10 1653 0 pts1 12 bash "\000\000\000hostnamectl",,,,"ctl | grep vm",
407. 05/05/2020 17:23:10 1654 0 ? 12 ? "hostnamectl | grep vm"
408. 05/05/2020 17:23:17 1675 0 pts0 1 bash "\000\000\000\000",,
409. 05/05/2020 17:23:17 1676 0 ? 1 ? "aureport --tty"
- 05/05/2020 17:24:30 1802 1002 pts2 13 bash "hostnamectl",,,,"ctl | grep vm",,"exit",`
I presume thats why it does not generate expected event data for User TTY saved search to consume?
Or may be you have other req to make it work? I see from how you write at your doc it should include "users" so not just root?
https://github.com/doksu/splunk_auditd/wiki/About-Auditd
may be need to update kernel? I use 5.x... centos 7.x
Hello I see I can only see root user only in menu User TTY,
is this expected?
aureport --tty shows only this for 1002 uid:
`406. 05/05/2020 17:23:10 1653 0 pts1 12 bash "\000\000\000hostnamectl",,,,"ctl | grep vm",
407. 05/05/2020 17:23:10 1654 0 ? 12 ? "hostnamectl | grep vm"
408. 05/05/2020 17:23:17 1675 0 pts0 1 bash "\000\000\000\000",,
409. 05/05/2020 17:23:17 1676 0 ? 1 ? "aureport --tty"
I presume thats why it does not generate expected event data for User TTY saved search to consume?
Or may be you have other req to make it work? I see from how you write at your doc it should include "users" so not just root?
https://github.com/doksu/splunk_auditd/wiki/About-Auditd
may be need to update kernel? I use 5.x... centos 7.x