From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] Support for auditing on the actions of a not-yet-executed
	process.
Date: Mon, 27 Aug 2012 08:54:19 -0400
Message-ID: <2471956.TsCfalT7Us@x2>
References: <1345749954-28749-1-git-send-email-pmoody@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1345749954-28749-1-git-send-email-pmoody@google.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Peter Moody <pmoody@google.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, August 23, 2012 12:25:54 PM Peter Moody wrote:
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F
> success=1
> 
> to see instances of /bin/bash opening a non-local socket. Or
> 
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F
> success=1
> 
> to instances of /bin/bash, and any descendant processes, opening a non local
> socket.
> 
> proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
> and it seemed like there was interest.

Yeah, another use case might be:

-a always,exit -F dir=/watched-dir -F perms=r -F exe=/usr/bin/scp

So that you can see files being transferred away from a directory that you care 
about. Of course you wouldn't have the address unless you also catch the 
connect or maybe execve.

I'll merge the user space code when this is accepted into the kernel.

Thanks,
-Steve