How system calls are audited

While talking to Tomas about measuring the impact of auditing, he gave me a nice call flow tree which I thought I'd share.

This is how it syscall auditing looks (for intel):

  + dosyscall()
    |
    + syscall_entry()
    | |
    | + pre_syscall() (if t_pre_sys set)
    |   |
    |   + audit_start() (if audit_active set)
    |     |
    |     + au_init
    |     | |
    |     | + aui_\*()
    |     + auditme() (to audit or not to audit)
    |     + au_start
    |       |
    |       + aus_\*()
    |
   ...
    |
    |
    + syscall_exit()
    | |
    | + post_syscall()
    |   |
    |   + audit_finish() (if audit_active set)
    |     |
    |     + au_finish
    |       |
    |       + auf_\*()
   ...

Update: the ASCII graph was hand crafted

[Technorati Tags: ]

Comments:

Did you use a script to create the ASCII art ? If "yes" ... is there a way to get the script ?

Posted by Roland Mainz on August 24, 2007 at 12:35 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

martin

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today