4

strace allows you to monitor the activity of a particular program. How can I monitor the activity of all programs (expect for sshd/bash/strace_itself)?

Currently I'm using a hack like this:

function ppid() { cat /proc/"$1"/status | grep PPid: | grep -o "[0-9]*"; };
function pidtree() { P=$1; while [ "$P" != "1" ]; do echo $P; P=`ppid $P`; done; echo 1; };
strace -fe execve `( pgrep ''; pidtree $$ ) | sort | uniq -u | sed 's/^/-p /'`

Note: using this can freeze your system.

Is there a better way to do it?

Vi.
  • 17,755

2 Answers2

3

Simplest way with systemtap is something like:

stap -e 'probe nd_syscall.* { println(execname(), pid(), " ", pn(), argstr) }'

(@Vi, no manual kernel module work is required; systemtap does that for itself. You need kernel-module-development files available though.)

Vi.
  • 17,755
fche
  • 198
1

It's not very feasible to "strace the whole system" from userspace. As I indicated in the previous question you asked, the best way is to use a kernel-mode tracing infrastructure such as kprobes, systemtap, or dtrace. Have you looked at any of these? Is there a reason why none of them will work for your use case?

The only way to truly reliably strace the entire system from userspace would be to start your trace with the init process... but I'm not sure that init or systemd would be very happy with you stracing it, since it does a lot of very low-level stuff that's pretty fragile and easy to break (and hard to inject wrapper commands around it too, I might add).

This is why the highest quality probing mechanisms have some type of kernel module, because the kernel "sees all". This is especially relevant since you are trying to monitor activity on character devices such as /dev/console and /dev/tty*, and the kernel has direct oversight over the calls to those devices since they are implemented in kernelspace.

allquixotic
  • 34,882