sysinfo - reads various system information
The sysinfo() system call is used to retrieve various system information related to the system's current status. It returns, among other metrics, the amount of time in idle, system, user and iowait, as well as the number of running and total processes, and the total amount of free and available memory.
This system call provides a highly efficient and convenient way to quickly access many system metrics, making it useful for the monitoring of system performance. However, it is subject to TOCTOU (time of check, time of use) vulnerabilities, so it is important to take appropriate precaution when using it.
struct sysinfo*[K] - A pointer to a struct sysinfo, which receives all the data accumulated by sysinfo.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
kprobes + ftrace
To measure the amount of time the system is in idle, user and system mode, as well as the amount of free and available system memory.
Example Use Case¶
A system administrator could use this system call to measure and monitor the performance of their system in real-time.
sysinfo() is subject to TOCTOU (time of check, time of use) vulnerabilities, so it is important to take appropriate precaution when using it.
- sys_exit - when this event is triggered, sysinfo can be used to provide a more accurate picture of the system's current performance.
- sys_fork - this event allows the user to measure the number of active processes in the system.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.