On Thu, Jul 12, 2012 at 3:04 PM, Xiaokui Shu <[email protected]> wrote: > Hello, > > I have a question about one of the features of audit. > Can I use audit to log the EIP/RIP at time of syscall? There is a "-i" > flag in strace that does the work. > > When I compare the mechanisms of audit and strace(ptrace), I find > maybe it is not possible for strace to do so. Audit is on the kernel "strace" -> "audit" in the sentence above. Sorry for the mistyping.
> side of a syscall, and does not know the audited program's internal > information (I am not sure if I understand it right). However, one can > still fetch extra information out of the syscall event (e.g. block a > syscall when coming, check the audited program stack and clear > blocking), but it may bring much overhead. > > Best, > Xiaokui -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
