auditing files which are executed?
Brennan, William C
william.c.brennan at lmco.com
Fri Jan 18 23:32:57 UTC 2008
Matthew Booth wrote:
> Brennan, William C wrote:
> > How do I configure parameters for auditctl to make an audit record
every
> > time a file is executed?
> >
>
> On i386:
> -a entry,always -F arch=i386 -S execve
>
> On x86_64, you need the above in addition to:
> -a entry,always -F arch=x86_64 -S execve
Okay, that's valuable, but I see I did not describe my problem precisely
enough. Let me try this again. How do I configure parameters for
auditctl to make an audit record every time a PARTICULAR file is
executed?
Is there a way to do this? Or is the only way to report on this
information by collecting auditing for all executed files (as given,
above), and then to filter more accurately using "ausearch -f filename"?
-- Bill
More information about the Linux-audit
mailing list