On Fri, 2 May 2014 10:49:56 -0400 Richard Guy Briggs <[email protected]> wrote:
> > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F > > success=1 > > > > to see instances of /bin/bash opening a non-local socket. Or > > > > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F > > exe_children=/bin/bash -F success=1 > > > > to instances of /bin/bash, and any descendant processes, opening a > > non local socket. > > In addition to these sample rules, do you have a command or script to > trigger it? You should be able to load a rule like this: -a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=test Then run touch /tmp/test then ausearch --start recent -k test -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
