Greets, auditd doesn't seem to support the type of flexibility I'm looking for in terms of filters. I'd like to log system calls based upon PID or path based upon /proc/self/exe, e.g. /usr/sbin/sshd. This is primarily due to log volume. Is what I'm looking for possible? Or done better another way?
A related question is about the "task" directive. On a given PID or path as described above, does "task" only log artifacts related to the PID or path and its descendants? I'm not sure if I'm reading the auditd docs correctly. Thanks. Sean
_______________________________________________ Kernelnewbies mailing list [email protected] http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
