> Strace doesn't count, by the way. It tells you what a program is doing, but doesn't collate the information so you can slice and dice it.
> strace -f $CMD 2>&1 | sed 's/^.pid[ 0-9]..\(.\)/\1/g' | sort -u does most of what I want, so will probably do for now.
> snoopy? bpf?
> Snoopy looks like it tracks executions across the system rather than focussing on what one execution did. bpf looks powerful, but is only for recent kernels, which might suffice.
> You're looking for sysdig.
> It's tricky to get that to tell you what a _program_ did, a la strace -f.
> Auditd with a proper rules config
> @brendangregg flamegraphs shows time spent per system call. strace, lsof will show files opened and bytes read. auditd and selinux wil show, log and permit access to files and processes
> gAdvisor would be an interesting place to implement something like this
> possibly a combination of auditd, lsof (now), and viewing /proc filesystem... there is tons of great info in there.. i think the issue is you need auditing on to see history...
> Perhaps something like cuckoo sandbox might be of use?
> Strace doesn't count, by the way. It tells you what a program is doing, but doesn't collate the information so you can slice and dice it.
> strace -f $CMD 2>&1 | sed 's/^.pid[ 0-9]..\(.\)/\1/g' | sort -u does most of what I want, so will probably do for now.
> snoopy? bpf?
> Snoopy looks like it tracks executions across the system rather than focussing on what one execution did. bpf looks powerful, but is only for recent kernels, which might suffice.
> You're looking for sysdig.
> It's tricky to get that to tell you what a _program_ did, a la strace -f.
> Auditd with a proper rules config
> @brendangregg flamegraphs shows time spent per system call. strace, lsof will show files opened and bytes read. auditd and selinux wil show, log and permit access to files and processes
> gAdvisor would be an interesting place to implement something like this
> possibly a combination of auditd, lsof (now), and viewing /proc filesystem... there is tons of great info in there.. i think the issue is you need auditing on to see history...
> Perhaps something like cuckoo sandbox might be of use?
> It's been a while, but possibly dtrace?