Re: [PATCH] audit: audit on the future execution of a binary.

On Sunday, July 07, 2013 15:41:41 Peter Moody wrote: >I *think* I'm the only one who's been asking for this feature, so >hopefully my not getting to it won't be putting anyone out. The reason that this is needed is that what we have available for auditing strange problems that a particular program might have is the equivalent of audit by inode. You have to have the pid in order to write a rule. Another invocation and we need a new rule. This feature would allow you to do investigations like: - give me all EPERM events generated by apache. - give me all files opened by gnash - give me all execve calls made by bind - record any time sendmail fails to change uid - exclude any opens with ENOENT by top secret processes <- real important