Monitoring Miscellaneous System Calls

As well as auditing file system related system calls, as described in Section 31.3, “Monitoring File System Objects”, you can also track various other system calls. Tracking task creation helps you understand your applications' behavior. Auditing the umask system call lets you track how processes modify permissions. Tracking any attempts to change the system time helps you identify anyone or any process trying to manipulate the system time.

1
-a entry,always -S clone -S fork -S vfork
## For ia64 architecture, disable fork and vfork rules above, and
## enable the following:
#-a entry,always -S clone2

2
-a entry,always -S umask

3
-a entry,always -S adjtimex -S settimeofday

1

Track task creation. To enable task tracking on the ia64 architecture, comment the first rule and enable the second one.

2

Add an audit context to the umask system call.

3

Track attempts to change the system time. adjtimex can be used to skew the time. settimeofday sets the absolute time.