As i understand it process auditing only logs `execve` sysca

Question

As i understand it process auditing only logs `execve` syscalls is that correct If so is osquery not a good fit then if we want to log other syscalls `sethostname` `settimeofday` etc in our case we re trying to follow CIS standards and the benchmarks for audit require more than `execve`

alessandrogario · Answer

Not currently supported but it should be possible to add them are those the only two syscalls you are interested in I m not familiar with that standard and I was curious

pirxthepilot · Answer

there s actually more here s a sample audit rules file to give you an idea <https github com major cis rhel ansible blob master roles cis files etc audit audit rules>

pirxthepilot · Answer

CIS publishes security benchmarks for different OSes platforms you can learn more here <https cisecurity org>

alessandrogario · Answer

Nice Thanks for the info blush