Skip to content

Instantly share code, notes, and snippets.

To see all syscalls made by a program:
auditctl -a entry,always -S all -F pid=1005
To see files opened by a specific user:
auditctl -a exit,always -S open -F auid=510
To see unsuccessful open call’s:
auditctl -a exit,always -S open -F success!=0