From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH] audit: audit on the future execution of a binary.
Date: Fri, 20 Sep 2013 12:18:40 -0400 [thread overview]
Message-ID: <4340717.2JglgZtF9r@x2> (raw)
In-Reply-To: <5192425.psOmB7euJG@x2>
On Tuesday, July 09, 2013 03:03:59 PM Steve Grubb wrote:
> On Sunday, July 07, 2013 15:41:41 Peter Moody wrote:
> >I *think* I'm the only one who's been asking for this feature, so
> >hopefully my not getting to it won't be putting anyone out.
>
> The reason that this is needed is that what we have available for auditing
> strange problems that a particular program might have is the
> equivalent of audit by inode. You have to have the pid in order to write a
> rule. Another invocation and we need a new rule. This feature would allow
> you to do investigations like:
>
> - give me all EPERM events generated by apache.
> - give me all files opened by gnash
> - give me all execve calls made by bind
> - record any time sendmail fails to change uid
> - exclude any opens with ENOENT by top secret processes <- real important
Another use case someone asked for this week:
- Give me all files transferred by scp.
-Steve
next prev parent reply other threads:[~2013-09-20 16:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-23 19:24 [PATCH] audit: audit on the future execution of a binary Peter Moody
2012-09-06 21:34 ` Peter Moody
2013-04-11 18:08 ` Eric Paris
2013-04-11 18:13 ` Peter Moody
2013-07-04 2:48 ` Richard Guy Briggs
2013-07-07 22:41 ` Peter Moody
2013-07-08 19:35 ` Richard Guy Briggs
2013-07-08 19:57 ` Steve Grubb
2013-07-09 19:03 ` Steve Grubb
2013-09-20 16:18 ` Steve Grubb [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-05-05 20:41 [PATCH] audit: log on the future execution of a path Richard Guy Briggs
2014-05-05 20:41 ` [PATCH] audit: audit on the future execution of a binary Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4340717.2JglgZtF9r@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.