[PATCH] audit: audit on the future execution of a binary.
Steve Grubb
sgrubb at redhat.com
Tue Jul 9 19:03:59 UTC 2013
On Sunday, July 07, 2013 15:41:41 Peter Moody wrote:
>I *think* I'm the only one who's been asking for this feature, so
>hopefully my not getting to it won't be putting anyone out.
The reason that this is needed is that what we have available for auditing
strange problems that a particular program might have is the
equivalent of audit by inode. You have to have the pid in order to write a
rule. Another invocation and we need a new rule. This feature would allow you
to do investigations like:
- give me all EPERM events generated by apache.
- give me all files opened by gnash
- give me all execve calls made by bind
- record any time sendmail fails to change uid
- exclude any opens with ENOENT by top secret processes <- real important
-Steve
More information about the Linux-audit
mailing list