RE: auditing files which are executed?
Matthew Booth wrote:
Brennan, William C wrote:
> How do I configure parameters for auditctl to make an audit record
every
> time a file is executed?
>
On i386:
-a entry,always -F arch=i386 -S execve
On x86_64, you need the above in addition to:
-a entry,always -F arch=x86_64 -S execve
Okay, that's valuable, but I see I did not describe my problem precisely
enough. Let me try this again. How do I configure parameters for
auditctl to make an audit record every time a PARTICULAR file is
executed?
Is there a way to do this? Or is the only way to report on this
information by collecting auditing for all executed files (as given,
above), and then to filter more accurately using "ausearch -f filename"?
-- Bill