Events per System Call

[Basim Baig]

Hello,

I am currently doing a project based on the linux audit framework and i am
using it to audit selected system calls. I have written my own parser for
it. What i need to know is how many events are generated per system call so
i know when it has finished. I have run a few test cases regarding this but
i am not sure if i have covered every possible situation. Are the number of
events generated per system call always the same or can they change from
place to place. I'll illustrate what i am saying.

For example when an OPEN system call happens three events are generated by
the audit frame work i.e. SYSCALL,CWD,PATH events. These three together
define the open system call. I am trying to get the same profile for the
following calls:
(i am adding the profiles i have already tested for)


open = sys.cwd.path
execv = sys.execve.cwd.path.path
clone
vfork  = clone+execve
fork  = clone+execve
connect
accept

close


read = sys
readv
write  = sys
writev



rename  = sys.cwd.path.path.path.path.path

mknod = sws.cwd.path
truncate = open+read+write
ftruncate = open+read+write

link

unlink

symlink

pipe = sys.fd_pair
dup
dup2

It would be really helpful to know if the number of events generated per
system call change or do they stay the same. And is there any documentation
on what events are generated or do i have to run small test cases for all
the aforementioned system calls.

Thanks,
Basim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20100816/b057fae0/attachment.htm>