• pirxthepilot

    pirxthepilot

    3 years ago
    As i understand it, process auditing only logs
    execve
    syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (
    sethostname
    ,
    settimeofday
    etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more than
    execve
    .
  • a

    alessandrogario

    3 years ago
    Not currently supported but it should be possible to add them; are those the only two syscalls you are interested in? I'm not familiar with that standard and I was curious
  • pirxthepilot

    pirxthepilot

    3 years ago
    there's actually more - here's a sample audit rules file to give you an idea: https://github.com/major/cis-rhel-ansible/blob/master/roles/cis/files/etc/audit/audit.rules
  • CIS publishes security benchmarks for different OSes/platforms. you can learn more here: https://cisecurity.org
  • a

    alessandrogario

    3 years ago
    Nice! Thanks for the info 😊