Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would like to trace a user's activity by monitoring system calls. Is there a way to use strace such that at startup it will begin tracing all system calls? Or is there any other method to automatically trace the system calls used during a user's session automatically without having to call strace manually?
I would like to trace a user's activity by monitoring system calls.
It's possible to trace syscalls (see: Auditd, GRSecurity or else maybe LTTng or utrace). I'm wondering though if you're choosing the wrong tool for the right job. Could you please elaborate why you need it? Note logging syscalls means kernel space logging which definitely is not granular so you'll need to filter things afterwards. Also please note monitoring user activity and the privacy aspect. Even if the reason is of a purely technical nature one should be concerned with it. And especially if it applies to a true multi-user system. (Post recycling 1, 2, 3.)
Last edited by unSpawn; 03-27-2010 at 01:27 PM.
Reason: //more *is* more
Well, I basically want to classify normal user behavior by collecting this data from several users. This will be done with their consent obviously so no need to worry about privacy. I know there will be a need for a lot of filtering and it will kill performance, that's not a major issue. Also, strace allows you to select which system calls to be traced and things like that. But I would like to do something like strace -ff init at startup to monitor all process system calls automatically. The machines I will be using are running Ubuntu 9.10 or RHEL 5.4.
Have a look at systemtap - it comes with several "canned" scripts. Wouldn't take much to post-process the output if they don't fit what you want.
ftrace might be a chance as well - wouldn't think it would be available on the RHEL system though.
Well, I basically want to classify normal user behavior by collecting this data from several users. This will be done with their consent obviously so no need to worry about privacy.
Sure. It's just the "obviously" part didn't show from your OP...
Quote:
Originally Posted by JohnQ.
strace allows you to select which system calls to be traced and things like that.
Auditd allows you to configure which syscalls will be traced and things like that. BTW Auditd doesn't but System Tap requires a debug kernel AFAIK.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.