audit 2.5 released
Paul Moore
paul at paul-moore.com
Mon Jan 11 19:24:20 UTC 2016
On Mon, Jan 11, 2016 at 2:14 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> This release adds audit by executable name support if your kernel also
> supports it. The audit by executable names support will allow you to write
> rules that target an exact application so that you can see if it is doing
> something odd. An example rule would look like this:
>
> -a always,exit -F arch=x86_64 -S connect,sendto -F exe=/bin/sh -F key=bash-
> network
>
> I think you will need the 4.4 kernel or later to use this feature.
Linux 4.3 has the necessary support.
* http://www.paul-moore.com/blog/d/2015/11/linux-v43.html
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list