Matthew Booth wrote: > Brennan, William C wrote: > > How do I configure parameters for auditctl to make an audit record every > > time a file is executed? > > > > On i386: > -a entry,always -F arch=i386 -S execve > > On x86_64, you need the above in addition to: > -a entry,always -F arch=x86_64 -S execve
Okay, that's valuable, but I see I did not describe my problem precisely enough. Let me try this again. How do I configure parameters for auditctl to make an audit record every time a PARTICULAR file is executed? Is there a way to do this? Or is the only way to report on this information by collecting auditing for all executed files (as given, above), and then to filter more accurately using "ausearch -f filename"? -- Bill -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
