How do I strace the whole system?
Simplest way with systemtap is something like:
stap -e 'probe nd_syscall.* { println(execname(), pid(), " ", pn(), argstr) }'
(@Vi, no manual kernel module work is required; systemtap does that for itself. You need kernel-module-development files available though.)
It's not very feasible to "strace the whole system" from userspace. As I indicated in the previous question you asked, the best way is to use a kernel-mode tracing infrastructure such as kprobes
, systemtap
, or dtrace
. Have you looked at any of these? Is there a reason why none of them will work for your use case?
The only way to truly reliably strace the entire system from userspace would be to start your trace with the init
process... but I'm not sure that init
or systemd
would be very happy with you stracing it, since it does a lot of very low-level stuff that's pretty fragile and easy to break (and hard to inject wrapper commands around it too, I might add).
This is why the highest quality probing mechanisms have some type of kernel module, because the kernel "sees all". This is especially relevant since you are trying to monitor activity on character devices such as /dev/console
and /dev/tty*
, and the kernel has direct oversight over the calls to those devices since they are implemented in kernelspace.