Hi,
I'm working on a honeypot and auditing it.
I have a server with several containers in it.
All the process from those containers are children of a process of id X
So if I use this rule
Quote:
auditctl -a always,exit -S all -F ppid X
|
I can see all the syscalls that have this ppid. FOr an example:
If I start the program "top" on a container, top is children of bash and bash is children of X. I need to see all the syscalls, but i'm only getting the ones from the bash, the first children.
Is there a way to set a rule to do this recursively to all it's children?
I really would rather continue using linux-audit instead of dtrace.