Title
#process-auditing
pirxthepilot

pirxthepilot

09/25/2018, 5:59 PM
As i understand it, process auditing only logs
execve
syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (
sethostname
,
settimeofday
etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more than
execve
.
a

alessandrogario

09/25/2018, 7:43 PM
Not currently supported but it should be possible to add them; are those the only two syscalls you are interested in? I'm not familiar with that standard and I was curious
pirxthepilot

pirxthepilot

09/25/2018, 7:50 PM
there's actually more - here's a sample audit rules file to give you an idea: https://github.com/major/cis-rhel-ansible/blob/master/roles/cis/files/etc/audit/audit.rules
7:51 PM
CIS publishes security benchmarks for different OSes/platforms. you can learn more here: https://cisecurity.org
a

alessandrogario

09/25/2018, 7:56 PM
Nice! Thanks for the info 😊