Linux Audit System Call Events - ashish-gehani/SPADE GitHub Wiki

SPADE's Linux Audit Reporter interprets a subset of system calls. The table below summarizes the OPM edge(s), if any, that are generated and the value of the operation annotation on the edge(s). Note that some system calls only have an indirect effect (by updating SPADE's internal state).

System call OPM edge Operation
clone() WasTriggeredBy clone
or
fork
fork()
vfork()		 WasTriggeredBy fork
setuid()
setreuid()
setresuid()
setfsuid()		 WasTriggeredBy setuid
setgid()
setregid()
setresgid()
setfsgid()		 WasTriggeredBy setgid
setns() WasTriggeredBy setns
unshare() WasTriggeredBy unshare
exit()
exit_group()		 WasTriggeredBy exit
kill()* WasTriggeredBy unit
or
unit dependency
or
kill
ptrace() WasTriggeredBy ptrace
accept()
accept4()		 Used accept
preadv()
pread()
read()
readv()		 Used read
mq_timedreceive() Used mq_timedreceive
recvfrom()
recvmsg()		 Used recv
init_module()
finit_module()		 Used init_module
finit_module
msgrcv() Used msgrcv
creat() WasGeneratedBy create
chmod()
fchmod()
fchmodat()		 WasGeneratedBy chmod
connect() WasGeneratedBy connect
ftruncate()
truncate()		 WasGeneratedBy truncate
mprotect() WasGeneratedBy mprotect
sendto()
sendmsg()		 WasGeneratedBy send
unlink()
unlinkat()		 WasGeneratedBy unlink
mq_unlink() WasGeneratedBy mq_unlink
lseek() WasGeneratedBy lseek
madvise() WasGeneratedBy madvise
mq_timedsend() WasGeneratedBy mq_timedsend
shmctl() WasGeneratedBy shmctl
msgsnd() WasGeneratedBy msgsnd
msgctl() WasGeneratedBy msgctl
execve() Used

WasTriggeredBy 		load

execve
close() Used
or
WasGeneratedBy 		close
link()
linkat()
symlink()
symlinkat()		 Used
and
WasGeneratedBy
and
WasDerivedFrom 		link (read)

link (write)

link
tee() Used
and
WasGeneratedBy
and
WasDerivedFrom 		tee (read)

tee (write)

tee
splice() Used
and
WasGeneratedBy
and
WasDerivedFrom 		splice (read)

splice (write)

splice
vmsplice() Used
or
WasGeneratedBy 		vmsplice (read)

vmsplice (write)
mmap() Used
and
WasGeneratedBy
and
WasDerivedFrom 		mmap (read)

mmap (write)

mmap
open()
openat()		 Used
or
WasGeneratedBy 		open

open/create
mq_open() Used
or
WasGeneratedBy 		mq_open

mq_open/create
shmget() Used
or
WasGeneratedBy 		shmget
shmat() Used
or
WasGeneratedBy 		shmat
msgget() Used
or
WasGeneratedBy 		msgget
pwritev()
pwrite()
write()
writev()		 WasGeneratedBy
and
WasDerivedFrom 		write

update
rename()
renameat()		 Used
and
WasGeneratedBy
and
WasDerivedFrom 		rename (read)

rename (write)

rename
bind()
dup()
dup2()
dup3()
mknod()
mknodat()
pipe()
pipe2()
socket()
fcntl()
socketpair()
pivot_root()
chroot()
chdir()
fchdir()		 None (Interpretation has indirect effect)

*UBSI signals are translated into unit events.

This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

⚠️ **GitHub.com Fallback** ⚠️