auditing files which are executed?

auditing files which are executed?

[Brennan, William C]

[-- Attachment #1.1: Type: text/plain, Size: 407 bytes --]

Okay, I'm a newbie, so excuse this question if the answer seems obvious.

 

I've looked at auditctl to see how it can help us audit several
different conditions, but I can't figure out how to do the following:

 

How do I configure parameters for auditctl to make an audit record every
time a file is executed?

 

William C. Brennan

Cube 4929, M1225

Lockheed Martin

Valley Forge, PA

610-354-6960

 


[-- Attachment #1.2: Type: text/html, Size: 3584 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditing files which are executed?

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 720 bytes --]

Brennan, William C wrote:
> Okay, I’m a newbie, so excuse this question if the answer seems obvious.
> 
>  
> 
> I’ve looked at auditctl to see how it can help us audit several 
> different conditions, but I can’t figure out how to do the following:
> 
>  
> 
> How do I configure parameters for auditctl to make an audit record every 
> time a file is executed?
> 

On i386:
-a entry,always -F arch=i386 -S execve

On x86_64, you need the above in addition to:
-a entry,always -F arch=x86_64 -S execve

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: auditing files which are executed?

[Brennan, William C]

Matthew Booth wrote:
> Brennan, William C wrote:
> > How do I configure parameters for auditctl to make an audit record
every 
> > time a file is executed?
> > 
>
> On i386:
> -a entry,always -F arch=i386 -S execve
>
> On x86_64, you need the above in addition to:
> -a entry,always -F arch=x86_64 -S execve

Okay, that's valuable, but I see I did not describe my problem precisely
enough.  Let me try this again.  How do I configure parameters for
auditctl to make an audit record every time a PARTICULAR file is
executed?

Is there a way to do this?  Or is the only way to report on this
information by collecting auditing for all executed files (as given,
above), and then to filter more accurately using "ausearch -f filename"?

-- Bill

Re: auditing files which are executed?

[Steve Grubb]

On Friday 18 January 2008 18:32:57 Brennan, William C wrote:
> Okay, that's valuable, but I see I did not describe my problem precisely
> enough.  Let me try this again.  How do I configure parameters for
> auditctl to make an audit record every time a PARTICULAR file is
> executed?

You use file watches:

auditctl  -w /usr/sbin/stunnel  -p x  -k my-file-is-executed

There are examples of this in the CAPP & LSPP rules. You can find this 
by 'rpm -ql audit | grep lspp'

-Steve

RE: auditing files which are executed?

[Brennan, William C]

Steve Grubb wrote:
> 
> You use file watches:
>
> auditctl  -w /usr/sbin/stunnel  -p x  -k my-file-is-executed
>
> There are examples of this in the CAPP & LSPP rules. You can find this

> by 'rpm -ql audit | grep lspp'

Thanks Steve.  I completely overlooked the example files. 

-- Bill