Re: [PATCH] Support for auditing on the actions of a not-yet-executed process.
On Fri, 2 May 2014 10:49:56 -0400
Richard Guy Briggs <rgb(a)redhat.com> wrote:
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F
exe=/bin/bash -F
> success=1
>
> to see instances of /bin/bash opening a non-local socket. Or
>
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F
> exe_children=/bin/bash -F success=1
>
> to instances of /bin/bash, and any descendant processes, opening a
> non local socket.
In addition to these sample rules, do you have a command or script to
trigger it?
You should be able to load a rule like this:
-a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=test
Then run
touch /tmp/test
then ausearch --start recent -k test
-Steve