{{tag>Brouillon Process Syscall}}

= Process audit quand strace n'est pas là

Voir :
* /proc/[PID]/
* procmap

<code bash>
lsof -p 33279
ps -efL |grep plop |wc -l
ss -tnp |grep plop
tcpdump -A -s0 host 192.168.100.5 and port 21
dmesg
pmap 33279
strace -r -o trace.log sudo echo hi
</code>


Pour voir les E/S sur les FD
<code bash>
peekfd -n -8 -d -c 32167 0 1 2
</code>

== Notes strace

A debugging utility for Linux, monitors system calls used by a program and all received signals

Voir aussi :
  * eBPF – Linux kernel tracing backend providing a set of features similar to DTrace[28] since kernel version 4.9
  * ftrace – a tracing framework for the Linux kernel, capable of tracing scheduling events, interrupts, memory-mapped I/O, CPU power state transitions, etc.
  * ltrace – a Linux debugging utility, displays the calls a userland application makes to shared libraries
  * SystemTap – a scripting language and utility used for instrumenting Linux installations

''-s'' strsize Specifies the maximum string size to print (the default is 32). Note that filenames are not considered strings and are always printed in full.


=== Activer / interdire strace

<code ->
    kernel.yama.ptrace_scope = 0: all processes can be debugged, as long as they have same uid. This is the classical way of how ptracing worked.
    kernel.yama.ptrace_scope = 1: only a parent process can be debugged.
    kernel.yama.ptrace_scope = 2: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability.
    kernel.yama.ptrace_scope = 3: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.
</code>

<code ->
# LANG=C strace -p 1171
strace: attach: ptrace(PTRACE_ATTACH, 1171): Operation not permitted

# echo 0 > /proc/sys/kernel/yama/ptrace_scope
# LANG=C strace -p 1171
</code>

<code bash>
strace -T -tt -f -v -q -s 4096 -o /tmp/nonworking_cp-strace.out <cp command>  &> /tmp/nonworking_cp.out

strace -fvttTyyx -s 1024 -o /tmp/strace.out <command> &> /tmp/df.out 
</code>

== Autre

=== Auditer les signaux / les kills

https://github.com/iovisor/bcc/
https://github.com/brendangregg/perf-tools/blob/master/killsnoop


https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/analyzing-system-performance-with-bpf-compiler_collection_managing-monitoring-and-updating-the-kernel


=== Comparaison entre différents environnements

Voir **procenv**