Linux Auditing patch and additional questions
Steve Grubb
sgrubb at redhat.com
Fri Feb 24 23:09:23 UTC 2006
On Friday 24 February 2006 17:58, Mauricio Lin wrote:
>The system clock is registered on the entry point of syscall, right?
No, its only referenced at the point that the audit system decides it needs to
write an audit event. Look at the function audit_get_stamp(). Its called by
audit_log_start. You can look for its callers to see when this occurs.
> After that if syscall is put in the waitqueue, nothing is registered when
> it is awaked again to use the processor. Am I right?
True. But you might want to trace the above code to see how it works.
-Steve
More information about the Linux-audit
mailing list