Hello, I have a question about one of the features of audit. Can I use audit to log the EIP/RIP at time of syscall? There is a "-i" flag in strace that does the work.
When I compare the mechanisms of audit and strace(ptrace), I find maybe it is not possible for strace to do so. Audit is on the kernel side of a syscall, and does not know the audited program's internal information (I am not sure if I understand it right). However, one can still fetch extra information out of the syscall event (e.g. block a syscall when coming, check the audited program stack and clear blocking), but it may bring much overhead. Best, Xiaokui -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
