From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] Support for auditing on the actions of a
	not-yet-executed process.
Date: Fri, 2 May 2014 11:25:49 -0400
Message-ID: <20140502112549.236eb15e@ivy-bridge>
References: <1345749954-28749-1-git-send-email-pmoody@google.com>
	<20140502144956.GE24821@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20140502144956.GE24821@madcap2.tricolour.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Fri, 2 May 2014 10:49:56 -0400
Richard Guy Briggs <rgb@redhat.com> wrote:

> > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F
> > success=1
> > 
> > to see instances of /bin/bash opening a non-local socket. Or
> > 
> > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F
> > exe_children=/bin/bash -F success=1
> > 
> > to instances of /bin/bash, and any descendant processes, opening a
> > non local socket.  
> 
> In addition to these sample rules, do you have a command or script to
> trigger it?

You should be able to load a rule like this:

-a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=test

Then run

touch /tmp/test

then ausearch --start recent -k test

-Steve