On Sat, 2007-12-29 at 09:30 +0800, Marius.bao wrote: > Hi all, > We can use a rule to audit one specific process's all syscall > info, > eg: auditctl -a entry,always -S all -F pid=1005, it will log process > 1005's > syscall info. Is there a rule available to audit all processes' > syscall info? > > Thanks in advance.
Not sure what your intentions are, but I think you can omit the pid field and every syscall (but read() and write()) should then be audited. Klaus -- Klaus Heinrich Kiwi Security Development - IBM Linux Technology Center -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
