Audit uses systemtap, which internally uses the kprobes in the Linux kernel, to monitor and report when a function is entered or exited during the execution of a system call. An example code is written for each system call, and the audit script is run on the execution of these examples.

Not all functions are reported, only those found in source files listed in a dependency file. It is recommended to limit the reporting to functions defined in the same file or in the same subsystem than the system call. It is also possible to report specific functions such as the LSM hooks, as long as the kprobes support it (intercepting the usual program flow may sometimes cause race conditions, among other strange things).


C, SystemTap