AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : partionnement_et_formatage_windows_clef_usb pb_libvirt_dnsmasq_dns_port_53 limiter_les_ressources_cpu_pour_un_process_donne pb_podman_-_image_is_in_use_by_a_container pv_barre_de_progression_pour_pipe_dd_etc client_xmpp_poezio notes_recuperation_de_donnees_cd_dvd automatiser_une_installation_de_debian_avec_preseed xorg.conf_genere_par_nvidia-xconfig process_audit_quand_strace_n_est_pas_la
tech:process_audit_quand_strace_n_est_pas_la

Table des matières

, ,

Process audit quand strace n'est pas là

Voir :

  • /proc/[PID]/
  • procmap
lsof -p 33279
ps -efL |grep plop |wc -l
ss -tnp |grep plop
tcpdump -A -s0 host 192.168.100.5 and port 21
dmesg
pmap 33279
strace -r -o trace.log sudo echo hi

Pour voir les E/S sur les FD 

peekfd -n -8 -d -c 32167 0 1 2

Notes strace

A debugging utility for Linux, monitors system calls used by a program and all received signals

Voir aussi :

  • eBPF – Linux kernel tracing backend providing a set of features similar to DTrace[28] since kernel version 4.9
  • ftrace – a tracing framework for the Linux kernel, capable of tracing scheduling events, interrupts, memory-mapped I/O, CPU power state transitions, etc.
  • ltrace – a Linux debugging utility, displays the calls a userland application makes to shared libraries
  • SystemTap – a scripting language and utility used for instrumenting Linux installations

-s strsize Specifies the maximum string size to print (the default is 32). Note that filenames are not considered strings and are always printed in full.

Activer / interdire strace

    kernel.yama.ptrace_scope = 0: all processes can be debugged, as long as they have same uid. This is the classical way of how ptracing worked.
    kernel.yama.ptrace_scope = 1: only a parent process can be debugged.
    kernel.yama.ptrace_scope = 2: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability.
    kernel.yama.ptrace_scope = 3: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.
# LANG=C strace -p 1171
strace: attach: ptrace(PTRACE_ATTACH, 1171): Operation not permitted

# echo 0 > /proc/sys/kernel/yama/ptrace_scope
# LANG=C strace -p 1171
strace -T -tt -f -v -q -s 4096 -o /tmp/nonworking_cp-strace.out <cp command>  &> /tmp/nonworking_cp.out
 
strace -fvttTyyx -s 1024 -o /tmp/strace.out <command> &> /tmp/df.out

Autre

Auditer les signaux / les kills

https://github.com/iovisor/bcc/ https://github.com/brendangregg/perf-tools/blob/master/killsnoop

https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/analyzing-system-performance-with-bpf-compiler_collection_managing-monitoring-and-updating-the-kernel

Comparaison entre différents environnements

Voir procenv

tech/process_audit_quand_strace_n_est_pas_la.txt · Dernière modification : de 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki