Channels
# apple-silicon
# arm-architecture
# auditing-warroom
# aws
# code-review
# community-feeds
# core
# darkbytes
# doorman
# ebpf
# eclecticiq-polylogyx-extension
# extensions
# file-carving
# fim
# fleet
# foundation
# fuzzing
# general
# golang
# goquery
# infrastructure
# kolide
# linux
# macos
# officehours
# osctrl
# plugins
# process-auditing
# querycon
# queryhub
# sql
# tls
# uptycs
# website
# windows
# zeek
# zercurity
pirxthepilot
3 years agoAs i understand it, process auditing only logs
syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (execve
,sethostname
etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more thansettimeofday
.execve- a
alessandrogario
3 years agoNot currently supported but it should be possible to add them; are those the only two syscalls you are interested in? I'm not familiar with that standard and I was curious pirxthepilot
3 years agothere's actually more - here's a sample audit rules file to give you an idea: https://github.com/major/cis-rhel-ansible/blob/master/roles/cis/files/etc/audit/audit.rules- CIS publishes security benchmarks for different OSes/platforms. you can learn more here: https://cisecurity.org
- a
alessandrogario
3 years agoNice! Thanks for the info 😊
Join thread in Slack
View count: 5