Tracing a user's system calls.
I would like to trace a user's activity by monitoring system calls. Is there a way to use strace such that at startup it will begin tracing all system calls? Or is there any other method to automatically trace the system calls used during a user's session automatically without having to call strace manually?
|
Quote:
|
Well, I basically want to classify normal user behavior by collecting this data from several users. This will be done with their consent obviously so no need to worry about privacy. I know there will be a need for a lot of filtering and it will kill performance, that's not a major issue. Also, strace allows you to select which system calls to be traced and things like that. But I would like to do something like strace -ff init at startup to monitor all process system calls automatically. The machines I will be using are running Ubuntu 9.10 or RHEL 5.4.
|
Have a look at systemtap - it comes with several "canned" scripts. Wouldn't take much to post-process the output if they don't fit what you want.
ftrace might be a chance as well - wouldn't think it would be available on the RHEL system though. |
Quote:
Quote:
|
Requires the debug filesystem (plus a couple of other bits), not necessarily a kernel compiled with -g.
Might be an excuse for me to (finally) go look at Auditd. |
Any info on how to use auditd on Ubuntu 9.10? man page isn't very helpful.
|
All times are GMT -5. The time now is 08:14 AM. |