Steve Grubb wrote: > > You use file watches: > > auditctl -w /usr/sbin/stunnel -p x -k my-file-is-executed > > There are examples of this in the CAPP & LSPP rules. You can find this
> by 'rpm -ql audit | grep lspp' Thanks Steve. I completely overlooked the example files. -- Bill -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
