what kind of system calls would you like to trace?
02/08/2021, 4:17 PM
Hello, I am trying to build a host-based intrusion detection system for my 3rd-year project. I am trying to get system calls that an application usually makes like execve, mmap, read, write, delete, fork, pipe, permission changes, etc.. but I am not interested in the syscalls regarding sockets. I have made the query: "query": "SELECT pid, path, syscall, mode, cmdline, cmdline_size, cwd, uid, gid, parent, time, uptime FROM process_events;", in the config files but the only system call it returns is execve for some reason. Do you know why this is happening?😕
02/08/2021, 4:21 PM
Hey @Rares Ion ,yes this is normal, only a specific set of system calls is captured by osquery. This can be normally tweaked a little with some configuration flags but it's always mostly about process execution and sockets