Problem/Justification
Request support for Sysmon for Linux (sysmonforlinux): GitHub - microsoft/SysmonForLinux: Sysmon for Linux
Install instructions via apt: SysmonForLinux/INSTALL.md at main · microsoft/SysmonForLinux · GitHub
Impact
Sysmon for Linux is a Microsoft Sysinternals too providing Linux security monitoring of system events via eBPF. Configuration / use roughly parallels use of Windows Sysmon - an XML format configuration is used to specify system events that should be logged via the Sysmon/Operational event channel. On Debian Linux these messages are logged in /var/log/syslog.
User Story
Following installation, the sole means of user interaction with Sysmon for Linux would be in the form of updates to the configuration file. It should be possible to trigger a configuration update by pointing the app at a new configuration file located somewhere within the TrueNAS filesystem (which would emulate terminal command ‘sysmon -c .xml’).
Alerts generated by Sysmon for Linux can be easily forwarded via remote Syslog or other syslog monitoring methods.