Title
#fim
r

reed

04/04/2020, 7:58 PM
One issue that I haven't seen a good answer for is how to track the actual user who is performing the action that causes the FIM event. In auditd terms, this is the auid. Does such a thing exist for inotify? What about the new eBPF support?
sundsta

sundsta

04/05/2020, 12:17 AM
You probably want
process_file_events
instead of
file_events
which has the uid/gid the process is running under.
12:20 AM
It is a Linux only table for now, however
r

reed

05/05/2020, 6:48 AM
I need the auid, which didn't exist.
6:48 AM