On Thursday, July 12, 2012 03:04:11 PM Xiaokui Shu wrote:
Hello,
I have a question about one of the features of audit.
Can I use audit to log the EIP/RIP at time of syscall? There is a "-i"
flag in strace that does the work.
No. The audit system does not collect that information. Maybe trace points or
systemtap would be a better approach for that kind of thing?
-Steve
When I compare the mechanisms of audit and strace(ptrace), I find
maybe it is not possible for strace to do so. Audit is on the kernel
side of a syscall, and does not know the audited program's internal
information (I am not sure if I understand it right). However, one can
still fetch extra information out of the syscall event (e.g. block a
syscall when coming, check the audited program stack and clear
blocking), but it may bring much overhead.
Best,
Xiaokui
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit