Hello, I am currently doing a project based on the linux audit framework and i am using it to audit selected system calls. I have written my own parser for it. What i need to know is how many events are generated per system call so i know when it has finished. I have run a few test cases regarding this but i am not sure if i have covered every possible situation. Are the number of events generated per system call always the same or can they change from place to place. I'll illustrate what i am saying.
For example when an OPEN system call happens three events are generated by the audit frame work i.e. SYSCALL,CWD,PATH events. These three together define the open system call. I am trying to get the same profile for the following calls: (i am adding the profiles i have already tested for) open = sys.cwd.path execv = sys.execve.cwd.path.path clone vfork = clone+execve fork = clone+execve connect accept close read = sys readv write = sys writev rename = sys.cwd.path.path.path.path.path mknod = sws.cwd.path truncate = open+read+write ftruncate = open+read+write link unlink symlink pipe = sys.fd_pair dup dup2 It would be really helpful to know if the number of events generated per system call change or do they stay the same. And is there any documentation on what events are generated or do i have to run small test cases for all the aforementioned system calls. Thanks, Basim
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
