Open ArcticB opened 4 years ago
We've discussed having a config file, but haven't done any formal planning for it. How would you imagine it would work? I'm imagining a dotfile type configuration that could be placed in a known location per user and per machine, i.e., ~
and /etc/somewhere
.
To my mind, it could be a global config file (/etc
) where you define syscalls that you want to monitor. While hooking one of those syscalls, it would log the call in a file defined in the conf. And finally it would be possible to set filters on syscall args and return. That's how I see it but it can be done an other way.
Hello,
I'm glad to see that there is finally a concrete implementation of syscall hooking using eBPF. What do you think about adding static configurations to your solution in order to replace systems like Auditd ?
Thanks