Re: [PATCH] audit: audit on the future execution of a binary.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH] audit: audit on the future execution of a binary.
Date: Tue, 09 Jul 2013 15:03:59 -0400	[thread overview]
Message-ID: <5192425.psOmB7euJG@x2> (raw)
In-Reply-To: <1983744.efnQVMhNqu@x2>

On Sunday, July 07, 2013 15:41:41 Peter Moody wrote:
>I *think* I'm the only one who's been asking for this feature, so
>hopefully my not getting to it won't be putting anyone out.

The reason that this is needed is that what we have available for auditing 
strange problems that a particular program might have is the 
equivalent of audit by inode. You have to have the pid in order to write a 
rule. Another invocation and we need a new rule. This feature would allow you 
to do investigations like:

- give me all EPERM events generated by apache.
- give me all files opened by gnash
- give me all execve calls made by bind
- record any time sendmail fails to change uid
- exclude any opens with ENOENT by top secret processes  <- real important

-Steve

next prev parent reply	other threads:[~2013-07-09 19:04 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-23 19:24 [PATCH] audit: audit on the future execution of a binary Peter Moody
2012-09-06 21:34 ` Peter Moody
2013-04-11 18:08 ` Eric Paris
2013-04-11 18:13   ` Peter Moody
2013-07-04  2:48 ` Richard Guy Briggs
2013-07-07 22:41   ` Peter Moody
2013-07-08 19:35     ` Richard Guy Briggs
2013-07-08 19:57   ` Steve Grubb
2013-07-09 19:03     ` Steve Grubb [this message]
2013-09-20 16:18       ` Steve Grubb
  -- strict thread matches above, loose matches on Subject: below --
2014-05-05 20:41 [PATCH] audit: log on the future execution of a path Richard Guy Briggs
2014-05-05 20:41 ` [PATCH] audit: audit on the future execution of a binary Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5192425.psOmB7euJG@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.