Is there a rule for auditing all processes' syscall info?
Klaus Heinrich Kiwi
klausk at linux.vnet.ibm.com
Fri Jan 4 19:12:19 UTC 2008
On Sat, 2007-12-29 at 09:30 +0800, Marius.bao wrote:
> Hi all,
> We can use a rule to audit one specific process's all syscall
> info,
> eg: auditctl -a entry,always -S all -F pid=1005, it will log process
> 1005's
> syscall info. Is there a rule available to audit all processes'
> syscall info?
>
> Thanks in advance.
Not sure what your intentions are, but I think you can omit the pid
field and every syscall (but read() and write()) should then be audited.
Klaus
--
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center
More information about the Linux-audit
mailing list