| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
File monitoring with Mortadelo and SystemTap
File monitoring with Mortadelo and SystemTap
Posted Mar 6, 2008 10:49 UTC (Thu) by darwish07 (subscriber, #49520)Parent article: File monitoring with Mortadelo and SystemTap
Is there some redundancy between Audit and SystemTap ? Audit can monitor a system call .. SystemTap does so Audit can monitor single files .. Again, System tap does so The uncommon thing now is the ability to audit LSMs by ,say, a MAC subject label and giving LSMs an easy structure to report violations. It'll be interesting to see how will they both react once SystemTap gains more popularity.
(Log in to post comments)
File monitoring with Mortadelo and SystemTap
Posted Mar 6, 2008 13:37 UTC (Thu) by fuhchee (subscriber, #40059) [Link]
> Is there some redundancy between Audit and SystemTap ? Sure. Other than logistical (installation) issues though, there is the potential for more interesting differences. Audit is a single system-wide facility, so only a single configuration (set of trace points) can be active at a time. Systemtap is per-session, so many different probing sessions collecting different sorts of data can run at the same time. Mortadelo represents only a basic use of systemtap at the present (an unconditional trace record for a bunch of systemcalls, system-wide). It could do something richer, like dynamically adjusting the target process/syscall list to reduce trace data quantity (-> improve performance, reduce system impact); to encode user-specified filters; to change these even during systemtap probe run-time using a /proc file interface.
File monitoring with Mortadelo and SystemTap
Posted Mar 6, 2008 22:16 UTC (Thu) by darwish07 (subscriber, #49520) [Link]
Aha .. Thanks for this great explanation.