[[PATCH V2] 0/2] Log on the future execution of a path

This is a part of Peter Moody, my and Eric Paris' work to implement audit by executable name. Please see the accompanying kernel patchset: https://www.redhat.com/archives/linux-audit/2015-July/thread.html [PATCH V6 0/4] audit by executable name If the path does not exist at rule creation time, it will be re-evaluated every time there is a change to the parent directory at which point the change in device and inode will be noted. Here's a sample run: Test for addition, trigger and deletion of tree executable rule: # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree ---- time->Sat Jul 11 10:41:50 2015 type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1 ---- # /usr/bin/touch /tmp/test ---- time->Sat Jul 11 10:41:50 2015 type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root" type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree" ---- # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree ---- time->Sat Jul 11 10:41:50 2015 type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1 ---- Revision history: v2: Allow exe or exe_children field alone without watch or syscall v1: change to path interface instead of inode https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html v0: Peter Moodie's original patches https://www.redhat.com/archives/linux-audit/2012-August/msg00034.html Next step: Get full-path notify working. Richard Guy Briggs (2): userspace: audit: log on the future execution of a path Allow monitoring of any activity on an executable with a specific path. trunk/lib/errormsg.h | 4 ++-- trunk/lib/fieldtab.h | 2 ++ trunk/lib/libaudit.c | 11 ++++++++++- trunk/lib/libaudit.h | 7 ++++++- trunk/lib/private.h | 1 + trunk/src/auditctl-listing.c | 8 +++++++- trunk/src/auditctl.c | 8 +++++++- 7 files changed, 35 insertions(+), 6 deletions(-)