Quick question,
Do the supported system calls depend on what the kernel supports or do
they depend on what auditd supports? It seems to me that it would have
to depend on whatever the kernel wants to send to user space right? So
every syscall that we want to be audited would have to be fist
implemented in the kernel, am I getting this right? I was looking
through the auditd sources and I was not able to find a list of
supported syscalls.
Any help would be greatly appreciated, thanks, Javier Godinez