Search
 
SCRIPT & CODE EXAMPLE
 
CODE EXAMPLE FOR SHELL

ubuntu auditd rule for PID process

# To see all syscalls made by a specific program:
sudo auditctl -a always,exit -S all -F pid=1005

#To watch a file for changes (2 ways to express):

sudo auditctl -w /etc/shadow -p wa
sudo auditctl -a always,exit -F path=/etc/shadow -F perm=wa
Source by manpages.ubuntu.com #
 
PREVIOUS NEXT
Tagged: #ubuntu #auditd #rule #PID #process
ADD COMMENT
Topic
Name
1+7 =