Bruce's Blog

The Internet needed another source of rants and uninvited uninformed opinions.

    • Edit
    • Delete
    • Tags
    • Autopost

    Syscall auditing comes to Linux

    Something that had been on my wishlist for a while is now available as part of the Linux 2.6.6 kernel release: Syscall Auditing. Syscall auditing allows for the selective logging of syscalls.

    This means they you can define logging rules that let you more easily do things like track down what program is spewing crap files all over /tmp, watch suspicious users and see what files they are editing and what they are running, find out what exactly that temperamental long running processes does when it seems to die randomly at 4:32am in the morning, etc. Of course the given examples could be done with other tools but syscall auditing makes things signficantly easier.

    Unfortunately the userspace tools are still rather raw and the auditing output isn't very human friendly. I figure it is only a matter of time before more friendly parsing tools start popping up. The existing tools can be found here and the needed kernel support is already in recent Fedora 2.6.x kernel releases.

    Tags » General
    • 10 May 2004

  • Bruce Locke's Blog

    Network Analyst who plays around with many things open source when he is not feeding his MMORPG addiction.

  • About Bruce Locke

    Network Analyst who plays around with many things open source when he is not feeding his MMORPG addiction.

  • Subscribe

    Subscribe to this posterous
    Unsubscribe
    Follow this posterous RSS
    You're a contributor here (Edit)
    This is your Space (Edit)
    Follow by email »
    Get the latest updates in your email box automatically.

  • Me Elsewhere

    • Twitter
    • GitHub

Original theme created for Posterous by Obox.