From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] audit: audit on the future execution of a binary. Date: Fri, 20 Sep 2013 12:18:40 -0400 Message-ID: <4340717.2JglgZtF9r@x2> References: <1345749840-28555-1-git-send-email-pmoody@google.com> <1983744.efnQVMhNqu@x2> <5192425.psOmB7euJG@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-53-77.rdu2.redhat.com [10.10.53.77]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8KGIwYA002793 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 20 Sep 2013 12:18:59 -0400 In-Reply-To: <5192425.psOmB7euJG@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, July 09, 2013 03:03:59 PM Steve Grubb wrote: > On Sunday, July 07, 2013 15:41:41 Peter Moody wrote: > >I *think* I'm the only one who's been asking for this feature, so > >hopefully my not getting to it won't be putting anyone out. > > The reason that this is needed is that what we have available for auditing > strange problems that a particular program might have is the > equivalent of audit by inode. You have to have the pid in order to write a > rule. Another invocation and we need a new rule. This feature would allow > you to do investigations like: > > - give me all EPERM events generated by apache. > - give me all files opened by gnash > - give me all execve calls made by bind > - record any time sendmail fails to change uid > - exclude any opens with ENOENT by top secret processes <- real important Another use case someone asked for this week: - Give me all files transferred by scp. -Steve