Possibility to add a static config file and to log syscalls

Sysinternals / ProcMon-for-Linux

Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.

MIT License

3.97k stars 253 forks source link

Possibility to add a static config file and to log syscalls #11

Open ArcticB opened 4 years ago

ArcticB commented 4 years ago

Hello,

I'm glad to see that there is finally a concrete implementation of syscall hooking using eBPF. What do you think about adding static configurations to your solution in order to replace systems like Auditd ?

Thanks

josalem commented 4 years ago

We've discussed having a config file, but haven't done any formal planning for it. How would you imagine it would work? I'm imagining a dotfile type configuration that could be placed in a known location per user and per machine, i.e., ~ and /etc/somewhere.

ArcticB commented 4 years ago

To my mind, it could be a global config file (/etc) where you define syscalls that you want to monitor. While hooking one of those syscalls, it would log the call in a file defined in the conf. And finally it would be possible to set filters on syscall args and return. That's how I see it but it can be done an other way.