From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditing files which are executed?
Date: Fri, 18 Jan 2008 21:02:48 -0500
Message-ID: <200801182102.48410.sgrubb@redhat.com>
References: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com>
	<47912D02.30708@redhat.com>
	<249DC7180F301445BCA2E01EAAFDF40908F9594E@emss04m05.us.lmco.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <249DC7180F301445BCA2E01EAAFDF40908F9594E@emss04m05.us.lmco.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 18 January 2008 18:32:57 Brennan, William C wrote:
> Okay, that's valuable, but I see I did not describe my problem precisel=
y
> enough. =A0Let me try this again. =A0How do I configure parameters for
> auditctl to make an audit record every time a PARTICULAR file is
> executed?

You use file watches:

auditctl  -w /usr/sbin/stunnel  -p x  -k my-file-is-executed

There are examples of this in the CAPP & LSPP rules. You can find this=20
by 'rpm -ql audit | grep lspp'

-Steve