
Is there a tool that summarises 'what a program did' in linux? - jotto
https://twitter.com/ianmiell/status/1007905543300747264
======
severine
Some responses:

> Strace doesn't count, by the way. It tells you what a program is doing, but
> doesn't collate the information so you can slice and dice it.

> strace -f $CMD 2>&1 | sed 's/^.pid[ 0-9] _..\\(._ \\)/\1/g' | sort -u does
> most of what I want, so will probably do for now.

> snoopy? bpf?

> Snoopy looks like it tracks executions across the system rather than
> focussing on what one execution did. bpf looks powerful, but is only for
> recent kernels, which might suffice.

> You're looking for sysdig.

> It's tricky to get that to tell you what a _program_ did, a la strace -f.

> Auditd with a proper rules config

> @brendangregg flamegraphs shows time spent per system call. strace, lsof
> will show files opened and bytes read. auditd and selinux wil show, log and
> permit access to files and processes

> gAdvisor would be an interesting place to implement something like this

> possibly a combination of auditd, lsof (now), and viewing /proc
> filesystem... there is tons of great info in there.. i think the issue is
> you need auditing on to see history...

> Perhaps something like cuckoo sandbox might be of use?

> It's been a while, but possibly dtrace?

