On Mon, Feb 09, 2009 at 02:23:35PM +0100, Harald Hoyer wrote:Karel Zak wrote:On Thu, Feb 05, 2009 at 03:44:42PM +0100, Harald Hoyer wrote:Yes, I do remember it, because this is how the current fedora readaheadIngo Molnar wrote:Do you remember Linux Auditing System? That's RH's baby with hooks to* Pavel Machek <pavel@xxxxxxx> wrote:Can strace can be used on init?
On Tue 2009-01-27 12:08:04, Kok, Auke wrote:ptrace is out of question for good tracing because it's not a transparent probe. (ptrace monopolizes the traced task - if we use that then we break regular strace usage.)This tracer monitors regular file open() syscalls. This is a fastMaybe fanotify() should be used instead?
and low-overhead alternative to strace, and does not allow or
require to be attached to every process.
The tracer only logs succesfull calls, as those are the only ones we
are currently interested in, and we can determine the absolute path
of these files as we log.
Or maybe just plain strace? One slow boot should not really hurt...
Ingo
$ man strace
...
On Linux, exciting as it would be, tracing the init process is forbidden.
...
Any hope getting _any_ mechanism in the kernel??
all relevant syscalls. It would be better to fix/improve the current
kernel mechanisms that introduce a new one.
gathers its data. It delays the audit daemon, because there is no clean way to hook into the stream. I asked to add a second "channel" (auditd wants the kernel socket for its own)...
yes, it'd be nice to support arbitrary number of connections and
rules per connection. (.. or export audit stuff to userspace by a
special pseudo filesystem (see cgroups, debugfs, ...)).
Karel