From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Re: auditing files which are executed?
Date: Fri, 18 Jan 2008 22:49:38 +0000
Message-ID: <47912D02.30708@redhat.com>
References: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0426614861=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Brennan, William C" <william.c.brennan@lmco.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0426614861==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigBB22C2128A3F3F24A7A7D825"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigBB22C2128A3F3F24A7A7D825
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Brennan, William C wrote:
> Okay, I=E2=80=99m a newbie, so excuse this question if the answer seems=
 obvious.
>=20
> =20
>=20
> I=E2=80=99ve looked at auditctl to see how it can help us audit several=
=20
> different conditions, but I can=E2=80=99t figure out how to do the foll=
owing:
>=20
> =20
>=20
> How do I configure parameters for auditctl to make an audit record ever=
y=20
> time a file is executed?
>=20

On i386:
-a entry,always -F arch=3Di386 -S execve

On x86_64, you need the above in addition to:
-a entry,always -F arch=3Dx86_64 -S execve

Matt
--=20
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490


--------------enigBB22C2128A3F3F24A7A7D825
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHkS0HNEHqGdM8NJARApMaAJ9hso0Rrw31pCeeb9wf29irCB6MtACgglY5
1smXFQ8AMXw3TWSiU/hFOZ0=
=4gZE
-----END PGP SIGNATURE-----

--------------enigBB22C2128A3F3F24A7A7D825--


--===============0426614861==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0426614861==--