ProcMon-for-Linux icon indicating copy to clipboard operation
ProcMon-for-Linux copied to clipboard
verified publisher icon Sysinternals

Possibility to add a static config file and to log syscalls

Open ArcticB opened this issue 5 years ago • 2 comments

Hello,

I'm glad to see that there is finally a concrete implementation of syscall hooking using eBPF. What do you think about adding static configurations to your solution in order to replace systems like Auditd ?

Thanks

ArcticB avatar Jul 17 '20 09:07 ArcticB

We've discussed having a config file, but haven't done any formal planning for it. How would you imagine it would work? I'm imagining a dotfile type configuration that could be placed in a known location per user and per machine, i.e., ~ and /etc/somewhere.

josalem avatar Jul 17 '20 17:07 josalem

To my mind, it could be a global config file (/etc) where you define syscalls that you want to monitor. While hooking one of those syscalls, it would log the call in a file defined in the conf. And finally it would be possible to set filters on syscall args and return. That's how I see it but it can be done an other way.

ArcticB avatar Jul 20 '20 13:07 ArcticB