From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] audit: audit on the future execution of a binary. Date: Tue, 09 Jul 2013 15:03:59 -0400 Message-ID: <5192425.psOmB7euJG@x2> References: <1345749840-28555-1-git-send-email-pmoody@google.com> <20130704024856.GA17316@madcap2.tricolour.ca> <1983744.efnQVMhNqu@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-58-234.rdu2.redhat.com [10.10.58.234]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r69J4JNF017142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 9 Jul 2013 15:04:20 -0400 In-Reply-To: <1983744.efnQVMhNqu@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Sunday, July 07, 2013 15:41:41 Peter Moody wrote: >I *think* I'm the only one who's been asking for this feature, so >hopefully my not getting to it won't be putting anyone out. The reason that this is needed is that what we have available for auditing strange problems that a particular program might have is the equivalent of audit by inode. You have to have the pid in order to write a rule. Another invocation and we need a new rule. This feature would allow you to do investigations like: - give me all EPERM events generated by apache. - give me all files opened by gnash - give me all execve calls made by bind - record any time sendmail fails to change uid - exclude any opens with ENOENT by top secret processes <- real important -Steve