[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

auditing syscalls made 'by' an inode?

Is there anyway to audit syscalls made by a particular, not yet
running, application? For example, if I'm interested in seeing all
exec's by google-chrome, can I do something like the following?

auditctl -a exit,always -F arch=b64 -S execve -F success=1 -F

experimenting seems to indicate that will only tell me when
inode-of-chrome is exec'd, basically a watch rule.

The sort of inverse of this rule that got me thinking about this
initially was auditing a syscall and seeing if it was/wasn't called by
a particular program. For example, audting all bind() calls which
*aren't* made by chrome (a silly rule to be sure, but just thrown out
as a hypothetical)

If it's not possible to do this now, is there interest in adding this feature?


Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]