← Back to context

Comment by deemkeen

3 months ago

diffwatch is kinda general purpoure, besides the agent work you could watch different processes doing stuff in your homedir, for example

8 comments

deemkeen

Reply
westurner  3 months ago

Cool tool! Is the inotify directory/file watch count the limit?

I can't seem to remember the name of the pre-containers tool that creates a virtual build root and traps all the file syscalls. It's not strace.

Easier to trace everything an AI runs by running the agent in a container with limited access to specific filesystem volumes.

eBPF is the fastest way to instrument in Linux AFAIU:

Traceleft: https://github.com/ShiftLeftSecurity/traceleft

Tracee: https://github.com/aquasecurity/tracee

Falco docs > Supported events: https://falco.org/docs/reference/rules/supported-events/

Tetragon: https://github.com/cilium/tetragon

strace could have a --diff-fs-syscall-files option:

  strace -p PID -f -F -e trace=file -s 65536

  • deemkeen  3 months ago

    it uses the os independant fsnotify lib, it surely has its limits. eBPF is great, but linux only, yeah

    • westurner  3 months ago

      On MacOS:

        sudo dtrace -n 'vfs::*:entry { printf("%-16s %-6d %s", execname, pid, probefunc); }'

  sudo dtrace -n 'vfs:lookup:entry { printf("%-16s %-6d %s", execname, pid, copyinstr(arg1)); }'

      TIL Dtrace is included in recent builds of Windows 11 and Server 2025: https://learn.microsoft.com/en-us/windows-hardware/drivers/d... ;

        # Must be run as Administrator
  dtrace -n "syscall::NtCreateFile:entry, syscall::NtReadFile:entry, syscall::NtWriteFile:entry { printf(\"%s (%d) - %s\", execname, pid, probefunc); }"

      It's possible to trace file system calls in Windows with procmon.exe by saving a .pmc config file and then loading it from the CLI:

        procmon.exe
  # uncheck everything except "Show File System Activity"
  # Filter > Drop Filtered Events
  # File > Export Configuration...

  # Must be run as Administrator
  procmon.exe /AcceptEula /Quiet /Minimized /LoadConfig C:\Tools\fs-only.pmc /BackingFile C:\Logs\FileSystemTrace.pml

      It's also possible to trace lower level file system calls in Windows with logman.exe but it's necessary to parse the traces that it generates.

      Then with just bpftrace on Linux:

        sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%-6d %-16s %s\n", pid, comm, str(args.filename)); }'

  sudo bpftrace -e 'kprobe:vfs_read, kprobe:vfs_write, kprobe:vfs_open { printf("%-16s %-6d %s\n", comm, pid, probefunc); }'

      ... According to 2.5pro on the cli strs

      strace, dtrace, and bpftrace could have a --diff-fs-syscall-files option.

      5 replies →