RE: auditing files which are executed?
Steve Grubb wrote:
You use file watches:
auditctl -w /usr/sbin/stunnel -p x -k my-file-is-executed
There are examples of this in the CAPP & LSPP rules. You can find this
by 'rpm -ql audit | grep lspp'
Thanks Steve. I completely overlooked the example files.
-- Bill