On Thursday, August 23, 2012 12:25:54 PM Peter Moody wrote:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F
exe=/bin/bash -F
success=1
to see instances of /bin/bash opening a non-local socket. Or
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F
success=1
to instances of /bin/bash, and any descendant processes, opening a non local
socket.
proposed
https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
and it seemed like there was interest.
Yeah, another use case might be:
-a always,exit -F dir=/watched-dir -F perms=r -F exe=/usr/bin/scp
So that you can see files being transferred away from a directory that you care
about. Of course you wouldn't have the address unless you also catch the
connect or maybe execve.
I'll merge the user space code when this is accepted into the kernel.
Thanks,
-Steve