How system calls are audited
By martin on Aug 24, 2007
While talking to Tomas about measuring the impact of auditing, he gave me a nice call flow tree which I thought I'd share.
This is how it syscall auditing looks (for intel):
+ dosyscall() | + syscall_entry() | | | + pre_syscall() (if t_pre_sys set) | | | + audit_start() (if audit_active set) | | | + au_init | | | | | + aui_\*() | + auditme() (to audit or not to audit) | + au_start | | | + aus_\*() | ... | | + syscall_exit() | | | + post_syscall() | | | + audit_finish() (if audit_active set) | | | + au_finish | | | + auf_\*() ...
Update: the ASCII graph was hand crafted