Re: auditing files which are executed?
On Friday 18 January 2008 18:32:57 Brennan, William C wrote:
Okay, that's valuable, but I see I did not describe my problem
precisely
enough. Let me try this again. How do I configure parameters for
auditctl to make an audit record every time a PARTICULAR file is
executed?
You use file watches:
auditctl -w /usr/sbin/stunnel -p x -k my-file-is-executed
There are examples of this in the CAPP & LSPP rules. You can find this
by 'rpm -ql audit | grep lspp'
-Steve