Re: [sct-hackers] question about unexported syscall table

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, Mar 30, 2005 at 04:22:59PM -0500, Craig Soules wrote:

> Hello all,
>=20
> I'm curious about the status of syscall tracker under linux 2.6.  I have=
=20
> been using a similar home-spun module to track syscalls in 2.4 for quite=
=20
> some time now for use in my phd work.  I'm looking to expand my tracing=
=20
> to more users, however, many of the machines around here use 2.6, and so=
=20
> I need a new solution.  Has anyone on this list had any luck with doing=
=20
> syscall interception in 2.6?  Are there any plans to add syscall tracing=
=20
> to the core kernel any time soon?

No, becase its already been done :-)
Check out the new audit framework's CONFIG_AUDITSYSCALL option. I
haven't looked into it in any depth, but it seems to provide system
call auditing. If all you need is "passive" surveilance, it should do
the trick. If you want to take actions based on audit results, it
could probably be extended. Also, since I haven't used it yet, I'll be
interested in hearing your experiences with it.

Cheers,
Muli
--=20
Muli Ben-Yehuda
http://www.mulix.org | http://mulix.livejournal.com/