As i understand it, process auditing only logs

execve

syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (

sethostname

,

settimeofday

etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more than

execve

.

Not currently supported but it should be possible to add them; are those the only two syscalls you are interested in? I'm not familiar with that standard and I was curious

there's actually more - here's a sample audit rules file to give you an idea: https://github.com/major/cis-rhel-ansible/blob/master/roles/cis/files/etc/audit/audit.rules

Nice! Thanks for the info 😊