Linux Audit System Call Events

SPADE's Linux Audit Reporter interprets a subset of system calls. The table below summarizes the OPM edge(s), if any, that are generated and the value of the operation annotation on the edge(s). Note that some system calls only have an indirect effect (by updating SPADE's internal state).

System call	OPM edge	Operation
clone()	WasTriggeredBy	clone or fork
fork() vfork()	WasTriggeredBy	fork
setuid() setreuid() setresuid() setfsuid()	WasTriggeredBy	setuid
setgid() setregid() setresgid() setfsgid()	WasTriggeredBy	setgid
setns()	WasTriggeredBy	setns
unshare()	WasTriggeredBy	unshare
exit() exit_group()	WasTriggeredBy	exit
kill()*	WasTriggeredBy	unit or unit dependency or kill
ptrace()	WasTriggeredBy	ptrace
accept() accept4()	Used	accept
preadv() pread() read() readv()	Used	read
mq_timedreceive()	Used	mq_timedreceive
recvfrom() recvmsg()	Used	recv
init_module() finit_module()	Used	init_module finit_module
msgrcv()	Used	msgrcv
creat()	WasGeneratedBy	create
chmod() fchmod() fchmodat()	WasGeneratedBy	chmod
connect()	WasGeneratedBy	connect
ftruncate() truncate()	WasGeneratedBy	truncate
mprotect()	WasGeneratedBy	mprotect
sendto() sendmsg()	WasGeneratedBy	send
unlink() unlinkat()	WasGeneratedBy	unlink
mq_unlink()	WasGeneratedBy	mq_unlink
lseek()	WasGeneratedBy	lseek
madvise()	WasGeneratedBy	madvise
mq_timedsend()	WasGeneratedBy	mq_timedsend
shmctl()	WasGeneratedBy	shmctl
msgsnd()	WasGeneratedBy	msgsnd
msgctl()	WasGeneratedBy	msgctl
execve()	Used WasTriggeredBy	load execve
close()	Used or WasGeneratedBy	close
link() linkat() symlink() symlinkat()	Used and WasGeneratedBy and WasDerivedFrom	link (read) link (write) link
tee()	Used and WasGeneratedBy and WasDerivedFrom	tee (read) tee (write) tee
splice()	Used and WasGeneratedBy and WasDerivedFrom	splice (read) splice (write) splice
vmsplice()	Used or WasGeneratedBy	vmsplice (read) vmsplice (write)
mmap()	Used and WasGeneratedBy and WasDerivedFrom	mmap (read) mmap (write) mmap
open() openat()	Used or WasGeneratedBy	open open/create
mq_open()	Used or WasGeneratedBy	mq_open mq_open/create
shmget()	Used or WasGeneratedBy	shmget
shmat()	Used or WasGeneratedBy	shmat
msgget()	Used or WasGeneratedBy	msgget
pwritev() pwrite() write() writev()	WasGeneratedBy and WasDerivedFrom	write update
rename() renameat()	Used and WasGeneratedBy and WasDerivedFrom	rename (read) rename (write) rename
bind() dup() dup2() dup3() mknod() mknodat() pipe() pipe2() socket() fcntl() socketpair() pivot_root() chroot() chdir() fchdir()	None	(Interpretation has indirect effect)

*UBSI signals are translated into unit events.