Re: audit 2.5 released
On Mon, Jan 11, 2016 at 2:14 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
This release adds audit by executable name support if your kernel
also
supports it. The audit by executable names support will allow you to write
rules that target an exact application so that you can see if it is doing
something odd. An example rule would look like this:
-a always,exit -F arch=x86_64 -S connect,sendto -F exe=/bin/sh -F key=bash-
network
I think you will need the 4.4 kernel or later to use this feature.
Linux 4.3 has the necessary support.
* http://www.paul-moore.com/blog/d/2015/11/linux-v43.html
--
paul moore
www.paul-moore.com