[[PATCH V2] 0/2] Log on the future execution of a path

Tue Jul 14 15:46:47 UTC 2015

This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.

Please see the accompanying kernel patchset:
	https://www.redhat.com/archives/linux-audit/2015-July/thread.html
	[PATCH V6 0/4] audit by executable name

If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.

Here's a sample run:
Test for addition, trigger and deletion of tree executable rule:
# auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1
----

# /usr/bin/touch /tmp/test
----
time->Sat Jul 11 10:41:50 2015
type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374
type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1436629310.757:44712):  cwd="/root"
type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree"
----

# auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1
----

Revision history:
v2: Allow exe or exe_children field alone without watch or syscall

v1: change to path interface instead of inode
	https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html

v0: Peter Moodie's original patches
	https://www.redhat.com/archives/linux-audit/2012-August/msg00034.html

Next step:
Get full-path notify working.

Richard Guy Briggs (2):
  userspace: audit: log on the future execution of a path
  Allow monitoring of any activity on an executable with a specific
    path.

 trunk/lib/errormsg.h         |    4 ++--
 trunk/lib/fieldtab.h         |    2 ++
 trunk/lib/libaudit.c         |   11 ++++++++++-
 trunk/lib/libaudit.h         |    7 ++++++-
 trunk/lib/private.h          |    1 +
 trunk/src/auditctl-listing.c |    8 +++++++-
 trunk/src/auditctl.c         |    8 +++++++-
 7 files changed, 35 insertions(+), 6 deletions(-)