RE: system call tracing/auditing?

Rob Riggs (
Wed, 04 Dec 1996 02:31:06 -0700 (MST)

On 04-Dec-96 Anil Somayaji wrote:
>Hello everyone!
>I have a straightforward problem: I need to be able to record the
>system calls made by a process and its children. I do not need (most)
>of the arguments to the system calls, but I do need their relative
>order. The method needs to be robust and fast, because I want to be
>able to do this in a production environment, on a heavily loaded
>Now, the trick is this: how do you get the data out of kernel space in
>an efficient manner? One way would be to use the standard kernel
>logging facilities. Now, in order to minimize the costs, you would
>want to buffer the system call information, so you only end up making
>a logging call once every 100 system calls, for example. (Does the
>Linux kernel already do this?)
>Another approach would be to create some sort of procfs interface,
>where a random user-space process could start reading a pseudo-file
>(one for each process), and the kernel would report system calls
>through this pseudo-file as long as it was open. Additional
>information could be provided during forks, allowing the user-space
>monitoring program to know which new pseudo-files it should be
>So, has anyone already solved this problem? Should I instead play
>with strace, maybe stripping it down to its bare essentials? Am I
>overlooking some potentially serious problems?

If you are looking for a logging facility for procfs then I
may be able to help. I have been working on a generic proc
interface (my goal is to eliminate all of the specialized
inode_operations, replacing them with one _generic_ set).

The lastest version implements a simple logging facility
(a proc FIFO) that should suit your needs. The FIFO uses
a 32K ring buffer to store it's data. The FIFO can be
select()ed and the user process will wake up when new data
is written to the FIFO.

The latest version is at:

There you will find a patch for the proc_generic interface,
which includes example implementations in sbpcd.c, ip_masq.c
and route.c. The /proc/sbpcd example will be of most interest
to you, since it implements a proc FIFO. This patch is against
2.1.9, but should apply to later kernels as well.

I should be releasing a new version soon that will changes
some of the interface a little, as well as implement a
couple new requested features. Unfortunately I have been
working far too much overtime at my job lately to get much
done with the proc_generic code.

Let me know if you find the code useful. Your comments will
be greatly appreciated.