On Tuesday 08 May 2007 14:02:06 Matthew Booth wrote: I have not created such a document. I don't know if anyone else has either. I plan to start creating a bunch of documentation for the audit system this summer. -Steve

On Sunday 13 May 2007 14:17:54 Matthew Booth wrote: If the syscall is of interest and a context has been created, as the syscall is handled it passes certain checkpoints where we gather information as an auxiliary record. The code passed through one of the hooks? That was probably talked about on this mail list maybe 2 years ago. I seem to recall something about it. In essence, as soon as a syscall becomes of interest, all hooks add aux records to describe different aspects of what happened during the syscall. If the ld library is in the syscall record, it was used by the kernel during the execve syscall. -Steve