I was curious to why the process_events table has a field for auid but the processes table doesn't. Anyone have some insight?
f
ForensicITGuy
11/01/2019, 12:34 PM
The processes table parses the /proc filesystem like ps does to enum the processes. The eventing table listens to events from the kernel audit subsystem like auditd does.