The following are example Syslog entries for two commands. The first copies a program to a new location, and the second is an attempt to execute the copy.
The first command copies the “/usr/bin/cat” program to “/tmp”. It is the “cp” command that is assessed. This action is permitted.
[root@localhost ~]# cp /usr/bin/cat /tmp/
[root@localhost ~]# Feb 27 07:27:59 localhost Mandos[2250]: Permitting execution of PID '2264' \
('/usr/bin/cp') [CMD: 'cp -i /usr/bin/cat /tmp/'] with hash \
'b2155f0cdae61254bf70a8e5f94c8774bb9404bb4d26b7c5561a8b921881160b' based on explicit directory whitelist
The second command executes “/tmp/cat”. This action is prevented.
[root@localhost ~]# /tmp/cat /etc/passwd
Killed
[root@localhost ~]# Feb 27 07:28:11 localhost Mandos[2250]: Preventing execution of PID '2265' \
('/tmp/cat') [CMD: '/tmp/cat /etc/passwd'] with hash \
'197ca535b49fc9a9d0c149ba2909e895cb0c04aa2c5909db507eabb21b8b3aa1' based on explicit directory blacklist