Re: syscalls
* Javier Godinez (godinezj(a)gmail.com) wrote:
I appreciate your responce, I am a bit new to this so please bear
with
me, one more question. So If I wanted to log every time that a delete
is performed, then it would probably be better to do it by number
right, like this:
-a entry,always -S 10
rather than this, right?
-a entry,always -S unlink
Considering unlink(2) is not a new syscall, I think you'd actually be
better off using the name (it's more portable between architectures for
one thing).
and if I want to log every time chown is called I would do:
-a entry,always -S 182
Same here. These numbers are different depending on the arch.
does this seem correct?
I'd use names when possible. In fact, auditctl will tell you when it
doesn't know the name.
thanks,
-chris