> Is there some redundancy between Audit and SystemTap ? Sure. Other than logistical (installation) issues though, there is the potential for more interesting differences. Audit is a single system-wide facility, so only a single configuration (set of trace points) can be active at a time. Systemtap is per-session, so many different probing sessions collecting different sorts of data can run at the same time. Mortadelo represents only a basic use of systemtap at the present (an unconditional trace record for a bunch of systemcalls, system-wide). It could do something richer, like dynamically adjusting the target process/syscall list to reduce trace data quantity (-> improve performance, reduce system impact); to encode user-specified filters; to change these even during systemtap probe run-time using a /proc file interface.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds