LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Tracing a user's system calls. (https://www.linuxquestions.org/questions/linux-general-1/tracing-a-users-system-calls-798265/)

JonhQ 03-27-2010 12:26 PM
Tracing a user's system calls.
 
I would like to trace a user's activity by monitoring system calls. Is there a way to use strace such that at startup it will begin tracing all system calls? Or is there any other method to automatically trace the system calls used during a user's session automatically without having to call strace manually?

unSpawn 03-27-2010 01:20 PM
Quote:
Originally Posted by JonhQ (Post 3914514)
I would like to trace a user's activity by monitoring system calls.
It's possible to trace syscalls (see: Auditd, GRSecurity or else maybe LTTng or utrace). I'm wondering though if you're choosing the wrong tool for the right job. Could you please elaborate why you need it? Note logging syscalls means kernel space logging which definitely is not granular so you'll need to filter things afterwards. Also please note monitoring user activity and the privacy aspect. Even if the reason is of a purely technical nature one should be concerned with it. And especially if it applies to a true multi-user system. (Post recycling 1, 2, 3.)

JohnQ. 03-27-2010 02:14 PM
Well, I basically want to classify normal user behavior by collecting this data from several users. This will be done with their consent obviously so no need to worry about privacy. I know there will be a need for a lot of filtering and it will kill performance, that's not a major issue. Also, strace allows you to select which system calls to be traced and things like that. But I would like to do something like strace -ff init at startup to monitor all process system calls automatically. The machines I will be using are running Ubuntu 9.10 or RHEL 5.4.

syg00 03-27-2010 06:23 PM
Have a look at systemtap - it comes with several "canned" scripts. Wouldn't take much to post-process the output if they don't fit what you want.
ftrace might be a chance as well - wouldn't think it would be available on the RHEL system though.

unSpawn 03-27-2010 08:01 PM
Quote:
Originally Posted by JohnQ. (Post 3914647)
Well, I basically want to classify normal user behavior by collecting this data from several users. This will be done with their consent obviously so no need to worry about privacy.
Sure. It's just the "obviously" part didn't show from your OP...


Quote:
Originally Posted by JohnQ. (Post 3914647)
strace allows you to select which system calls to be traced and things like that.
Auditd allows you to configure which syscalls will be traced and things like that. BTW Auditd doesn't but System Tap requires a debug kernel AFAIK.

syg00 03-27-2010 09:14 PM
Requires the debug filesystem (plus a couple of other bits), not necessarily a kernel compiled with -g.

Might be an excuse for me to (finally) go look at Auditd.

JohnQ. 03-30-2010 10:44 AM
Any info on how to use auditd on Ubuntu 9.10? man page isn't very helpful.


All times are GMT -5. The time now is 08:14 AM.