[PATCH] Support for auditing on the actions of a not-yet-executed process.
Steve Grubb
sgrubb at redhat.com
Mon Aug 27 12:54:19 UTC 2012
On Thursday, August 23, 2012 12:25:54 PM Peter Moody wrote:
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F
> success=1
>
> to see instances of /bin/bash opening a non-local socket. Or
>
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F
> success=1
>
> to instances of /bin/bash, and any descendant processes, opening a non local
> socket.
>
> proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
> and it seemed like there was interest.
Yeah, another use case might be:
-a always,exit -F dir=/watched-dir -F perms=r -F exe=/usr/bin/scp
So that you can see files being transferred away from a directory that you care
about. Of course you wouldn't have the address unless you also catch the
connect or maybe execve.
I'll merge the user space code when this is accepted into the kernel.
Thanks,
-Steve
More information about the Linux-audit
mailing list