Karel Zak wrote: > On Thu, Feb 05, 2009 at 03:44:42PM +0100, Harald Hoyer wrote: >> Ingo Molnar wrote: >>> * Pavel Machek <[email protected]> wrote: >>> >>>> On Tue 2009-01-27 12:08:04, Kok, Auke wrote: >>>>> This tracer monitors regular file open() syscalls. This is a fast >>>>> and low-overhead alternative to strace, and does not allow or >>>>> require to be attached to every process. >>>>> >>>>> The tracer only logs succesfull calls, as those are the only ones we >>>>> are currently interested in, and we can determine the absolute path >>>>> of these files as we log. >>>> Maybe fanotify() should be used instead? >>>> >>>> Or maybe just plain strace? One slow boot should not really hurt... >>> ptrace is out of question for good tracing because it's not a >>> transparent probe. (ptrace monopolizes the traced task - if we use that >>> then we break regular strace usage.) >>> >>> Ingo >> Can strace can be used on init? >> >> $ man strace >> ... >> On Linux, exciting as it would be, tracing the init process is >> forbidden. >> ... >> >> Any hope getting _any_ mechanism in the kernel?? > > Do you remember Linux Auditing System? That's RH's baby with hooks to > all relevant syscalls. It would be better to fix/improve the current > kernel mechanisms that introduce a new one. > > Karel >
Yes, I do remember it, because this is how the current fedora readahead gathers its data. It delays the audit daemon, because there is no clean way to hook into the stream. I asked to add a second "channel" (auditd wants the kernel socket for its own)... _______________________________________________ Power mailing list [email protected] http://www.bughost.org/mailman/listinfo/power
