|
|
@ -139,7 +139,7 @@ time find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 st |
|
|
|
|
|
|
|
|
## Syscall logging with auditd |
|
|
## Syscall logging with auditd |
|
|
auditd is able to log every single syscall of a process. |
|
|
auditd is able to log every single syscall of a process. |
|
|
1. `autrace [-r] path/to/executable -with -args` |
|
|
1. `autrace [-r] /path/to/executable -with -args` |
|
|
2. When the executable is finished, it returns a pid number |
|
|
2. When the executable is finished, it returns a pid number |
|
|
3. `ausearch -i -p <pid> > /path/to/auditlog` saves then the complete audit log to a file. |
|
|
3. `ausearch -i -p <pid> > /path/to/auditlog` saves then the complete audit log to a file. |
|
|
4. find all accessed files with |
|
|
4. find all accessed files with |
|
|
|
Michael Preisach
5 years ago