One issue that I haven't seen a good answer for is how to track the actual user who is performing the action that causes the FIM event. In auditd terms, this is the auid. Does such a thing exist for inotify? What about the new eBPF support?
s
sundsta
04/05/2020, 12:17 AM
You probably want
process_file_events
instead of
file_events
which has the uid/gid the process is running under.