14 Mar
2016
14 Mar
'16
1:50 p.m.
On Mon, Mar 14, 2016 at 11:23:04AM +0000, Roger Light wrote:
I listened to some of the ubuntu podcast on the way in
to work this
morning and they mentioned the util "fatrace". Turns out you can't use
the fanotify functions with /dev, but I've managed to figure out a
good way of doing this.
Assuming you've got SystemTap (kernel probing functionality, see at
the end of the email) installed, then try:
sudo stap random_read.stp
where random_read.stp looks like:
probe kernel.function("random_read").call
{
printf("%s[%d] len:%d\n", execname(), tid(), $nbytes)
}
This will print out the executable name, process id and number of
bytes requested each time a process reads from /dev/random. You can
verify it with e.g.
[snipped]
SystemTap is cool, but I can strongly recommend sysdig as a
user-friendly alternative to it. It works on the same principle,
i.e. using a kernel module to insert probes into the running system,
but you don't need to know how to write any code. Instead the
invocation is very much like wireshark / tshark filters (no
coincidence, since both projects share the same founders). For
example:
$ sudo sysdig evt.type=open and fd.name=/dev/random
1911991 13:44:51.773593245 0 dd (21147) < open fd=3(<f>/dev/random)
name=/dev/random flags=1(O_RDONLY) mode=0
As you can imagine, system-wide events can be sliced and diced in
countless different ways, and much more quickly than with SystemTap as
a result of not needing to write a new probe for each inspection
type. There's even an interactive UI. For more info see
http://www.sysdig.org/