As i understand it, process auditing only logs `ex...
# process-auditing
p
As i understand it, process auditing only logs
execve
syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (
sethostname
,
settimeofday
etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more than
execve
.
a
Not currently supported but it should be possible to add them; are those the only two syscalls you are interested in? I'm not familiar with that standard and I was curious
p
there's actually more - here's a sample audit rules file to give you an idea: https://github.com/major/cis-rhel-ansible/blob/master/roles/cis/files/etc/audit/audit.rules
CIS publishes security benchmarks for different OSes/platforms. you can learn more here: https://cisecurity.org
a
Nice! Thanks for the info 😊
👍 1