Y
Hacker News
new
|
ask
|
show
|
jobs
by
ivlad
815 days ago
I am trying to figure out if auditctl is expressive enough to catch unexpected execve() from sshd: basically anything other than /usr/bin/sshd (for privsep) executed with auid=-1 should be suspicious.