undefined | Better HN

0 pointsbpchaps9y ago0 comments

Definitely crossed my mind, but I'm working on hosts where installing auditd isn't really easy. Broken yum and apt all over the place makes installing new packages almost impossible. Same goes for lsof, but its installed in "enough" places. Kinda nightmarish, but it gives me a chance to write some fun code ;).

Also, thanks for the article! Super interesting. Think that'd be better than implementing something on top of sysdig?

0 comments

3 comments · 2 top-level

tyingq9y ago· 1 in thread

Another non polling option: http://www.brendangregg.com/blog/2014-07-25/opensnoop-for-li...

bpchapsOP9y ago

+1 for anything by Brendan Gregg.

I wasn't aware of the polling limitations of sysdig, but it definitely explains some things I've seen in the past. This is definitely going in my toolkit. Cheers!

Edit: dammit, spelled his name wrong.

tyingq9y ago

Auditd has the advantage of not being intermittent polling, which could miss something. Sounds like it isn't an option though.

j / k navigate · click thread line to collapse