Auditing a program use but not what it is doing
MAUPERTUIS, PHILIPPE
philippe.maupertuis at equensworldline.com
Thu Feb 13 16:35:46 UTC 2020
> Objet : Re: Auditing a program use but not what it is doing
>
> On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE
> wrote:
> > Like many, we are using aide and clamav.
> > I woud like to have an audit record when these program are run but no
> > records for what they are doing. I mean, I want to know that clamscan or
> > aide has been launched but not that it checks say /etc/passwd whatever
> > rules could be in place for /etc/passwd
>
> Then all you need to do is place a watch on them.
>
> -a always,exit -F path=path-to-aide -F perm=x -F key=something-ran
Just to be sure to understand how it works :
If we have two rules in that order :
-a always,exit -F arch=b64 -F exe=/sbin/aide -F perm=x -F key=aide_run
-a always,exit -F path=/etc/passwd -F perm=wa -F key=10.2.5.c-accounts
When running aide :
- the first rule produces a message
- the second rule is ignored
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
More information about the Linux-audit
mailing list