what kind of system calls would you like to trace

Question

Rares Ion · Answer

Hello I am trying to build a host based intrusion detection system for my 3rd year project I am trying to get system calls that an application usually makes like execve mmap read write delete fork pipe permission changes etc but I am not interested in the syscalls regarding sockets I have made the query query SELECT pid path syscall mode cmdline cmdline size cwd uid gid parent time uptime FROM process events in the config files but the only system call it returns is execve for some reason Do you know why this is happening confused

alessandrogario · Answer

Hey < Rares Ion> yes this is normal only a specific set of system calls is captured by osquery This can be normally tweaked a little with some configuration flags but it s always mostly about process execution and sockets

alessandrogario · Answer

You could implement your own table as an extension using or the native

alessandrogario · Answer

For the event source you can either use BPF With our in C++ With in C++ or Python or Audit by writing an audisp plugin first tutorial found on Google

alessandrogario · Answer

If you are ok with C++ our BPF libraries are probably the easiest route since you can just point them at any system call and it will return everything

alessandrogario · Answer

And you can also optionally trace libraries binaries system wide <https asciinema org a ZIxGquPIQdG2aAZdO5nNV2cCw>