From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xiaokui Shu Subject: retrieve EIP/RIP for syscall in audit Date: Thu, 12 Jul 2012 15:04:11 -0400 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q6CJ4DRp004283 for ; Thu, 12 Jul 2012 15:04:13 -0400 Received: from mail-lb0-f174.google.com (mail-lb0-f174.google.com [209.85.217.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6CJ4BCq005468 for ; Thu, 12 Jul 2012 15:04:12 -0400 Received: by lbbgm6 with SMTP id gm6so4359297lbb.33 for ; Thu, 12 Jul 2012 12:04:11 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello, I have a question about one of the features of audit. Can I use audit to log the EIP/RIP at time of syscall? There is a "-i" flag in strace that does the work. When I compare the mechanisms of audit and strace(ptrace), I find maybe it is not possible for strace to do so. Audit is on the kernel side of a syscall, and does not know the audited program's internal information (I am not sure if I understand it right). However, one can still fetch extra information out of the syscall event (e.g. block a syscall when coming, check the audited program stack and clear blocking), but it may bring much overhead. Best, Xiaokui