auditd conditional logging flexibility
Sean W
unixed at gmail.com
Tue Oct 1 16:42:20 EDT 2013
Greets,
auditd doesn't seem to support the type of flexibility I'm looking for in
terms of filters. I'd like to log system calls based upon PID or path based
upon /proc/self/exe, e.g. /usr/sbin/sshd. This is primarily due to log
volume. Is what I'm looking for possible? Or done better another way?
A related question is about the "task" directive. On a given PID or path as
described above, does "task" only log artifacts related to the PID or path
and its descendants? I'm not sure if I'm reading the auditd docs correctly.
Thanks.
Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20131001/1f609db8/attachment.html
More information about the Kernelnewbies
mailing list