Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

As i understand it, process auditing only logs `execve` syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (`sethostname`, `settimeofday` etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more than `execve`.

Not currently supported but it should be possible to add them; are those the only two syscalls you are interested in? I'm not familiar with that standard and I was curious

there's actually more - here's a sample audit rules file to give you an idea: <https://github.com/major/cis-rhel-ansible/blob/master/roles/cis/files/etc/audit/audit.rules>

CIS publishes security benchmarks for different OSes/platforms. you can learn more here: <https://cisecurity.org>