I have just successfully installed prelude-IDS, I'm happy as I can get it installed on OpenBSD without much hassles, however it turns me down when I tried to register the sensor to the prelude central management server. It seems that it has a bug where when I try to register the sensor, the server end is listenning at ipv6 space, so registration failed all the time. I quickly login to irc.freenode.net #prelude channel to look for help. The lead developer of prelude-IDS, Yoann, is a very nice and helpful person, I quickly run gdb to locate the bugs to report and he fixed out and sending patch to me, he has also asked me to submit the bug report using strace if it;s not fixed after applying the patch. The patch fixes the bugs perfectl. However since I feel adventurious, I'm thinking of installing strace on my OpenBSD box, however when I try to install it, I get an error where OpenBSD is not a supported OS.
Then Yoann told me to use ktrace which is similar to strace but it is native tool of OpenBSD, however to use ktrace properly, you have to use kdump to read ktrace's output. From the man page, ktrace enables kernel trace logging for the specified processes, and it is used to trace system calls, IO, and etc for process. In order to perform ktrace, I just take libstatgrab monitoring tool - saidar as an example.
shell>ktrace -f /var/log/ktrace.out -tc saidar
Read it using kdump
shell>kdump -f /var/log/ktrace.out
Below is the output of kdumping saidar, it looks similar to the strace output.
shell>ktrace -f /var/log/ktrace.out -tc saidar
Read it using kdump
shell>kdump -f /var/log/ktrace.out
Below is the output of kdumping saidar, it looks similar to the strace output.
You can also trace the process that already running by it's pid,
shell>ps auxww | grep saidar
root 12410 0.0 0.5 608 1288 p2 S+ 11:44PM 0:00.09 saidar
shell>ktrace -f /var/log/saidar_trace.out -p 12410
You can read saidar_trace.out using kdump later. You can also specify what you want to trace with -t option, which you can choose which trace point you want such as I/O, system calls, signal processing and etc. If you just want to watch the system call, you can just run
shell>ktrace -f /var/log/saidar_syscall.out -t c
With ktrace and kdump, we can enjoy strace alike tool :]
shell>ps auxww | grep saidar
root 12410 0.0 0.5 608 1288 p2 S+ 11:44PM 0:00.09 saidar
shell>ktrace -f /var/log/saidar_trace.out -p 12410
You can read saidar_trace.out using kdump later. You can also specify what you want to trace with -t option, which you can choose which trace point you want such as I/O, system calls, signal processing and etc. If you just want to watch the system call, you can just run
shell>ktrace -f /var/log/saidar_syscall.out -t c
With ktrace and kdump, we can enjoy strace alike tool :]
No comments:
Post a Comment