• Richard Guy Briggs's avatar
    audit: implement audit by executable · 34d99af5
    Richard Guy Briggs authored
    This adds the ability audit the actions of a not-yet-running process.
    
    This patch implements the ability to filter on the executable path.  Instead of
    just hard coding the ino and dev of the executable we care about at the moment
    the rule is inserted into the kernel, use the new audit_fsnotify
    infrastructure to manage this dynamically.  This means that if the filename
    does not yet exist but the containing directory does, or if the inode in
    question is unlinked and creat'd (aka updated) the rule will just continue to
    work.  If the containing directory is moved or deleted or the filesystem is
    unmounted, the rule is deleted automatically.  A future enhancement would be to
    have the rule survive across directory disruptions.
    
    This is a heavily modified version of a patch originally submitted by Eric
    Paris with some ideas from Peter Moody.
    
    Cc: Peter Moody <peter@hda3.com>
    Cc: Eric Paris <eparis@redhat.com>
    Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
    [PM: minor whitespace clean to satisfy ./scripts/checkpatch]
    Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    34d99af5
audit.h 10.8 KB