On Windows, Process Monitor does the same thing --- with the additional feature that, since configuration is often stored in the registry there, it will also show which registry keys it touches.
I use quick and dirty greps all the time, even when there is a "better" option available. It just works and is very intuitive in interactive contexts. Probably GP works in a similar way.
In lieu of strace, IDK how fast `ls -al /proc/${pid}/fd/*` can be polled and logged in search of which config file it is; almost like `lsof -n`:
pid=$$ # this $SHELL's pid
help set; # help help
(set -B; cat /proc/"${pid}"/{cmdline,environ}) \
| tr '\0' $'\n'
(while 1; do echo \#$pid; ls -al /proc/${pid}/fd/*; done) | tee "file_handle_to_file_path.${pid}.log"
# Ctrl-C
It's good Configuration Management practice to wrap managed config with a preamble/postamble indicating at least that some code somewhere wrote that and may overwrite whatever a user might manually change it to (prior to the configuration management system copying over or re-templating the config file content, thus overwriting any manual modifications)
## < managed by config_mgmt_system_xyz (in path.to.module.callable) >
## </ managed>
It still works if you turn off SIP. This is the same on Apple Silicon and Intel. However, for these purpose of tracking file accesses, I recommend using `eslogger` instead, as it doesn’t require disabling SIP and is faster, among other advantages.
It’ll show all file events. No need to disable SIP. SIP is doing a lot of good work for users and unless you’re doing kernel work or low level coding I’d keep it enabled. Obv. There are other cases but for the general public keep it on.
It’s personal preference. If the security people had their way we’d all be developing on iPads. If SIP interferes with your work: turn it off. Linux doesn’t have SIP and it’s just fine to develop on Linux as well.
100% agree. We would put everyone on chromebooks if we had our way. I don’t think it’s good for productivity and generating new ideas for a company so I never advocate for it.
There was a man who never existed named Thomas Covenant, created by Stephen R Donaldson. Decades ago this character said something that has stayed and will stay with me my entire life:
"The best way to hurt somebody who's lost everything is to give him back something that is broken."
For us, this thing is MacOS. I miss dtrace every damn day.
DTrace allowed you to ask the damn os what it was doing, since the man pages are random and do not match the command line help, new daemons constantly appear with docs like this:
NAME
rapportd – Rapport Daemon.
SYNOPSIS
Daemon that enables Phone Call Handoff and other communication features between Apple devices.
Use '/usr/libexec/rapportd -V' to get the version.
I do this much more frequently than I would like. But occasionally you have issues where the program lists a directory then only acts on specific names. So the strace output won't tell you what the expected name is.
Users should be aware that `sudo apt install sysdig` may require reconfiguration of UEFI Secure Boot, and that there is no apparent clean abort from this possible. The raw-mode terminal screen contains the text:
┌────────────────────────┤ Configuring Secure Boot ├────────────────────────┐
│ │
│ Your system has UEFI Secure Boot enabled. │
│ │
│ UEFI Secure Boot requires additional configuration to work with │
│ third-party drivers. │
│ │
│ The system will assist you in configuring UEFI Secure Boot. To permit │
│ the use of third-party drivers, a new Machine-Owner Key (MOK) has been │
│ generated. This key now needs to be enrolled in your system's firmware. │
│ │
│ To ensure that this change is being made by you as an authorized user, │
│ and not by an attacker, you must choose a password now and then confirm │
│ the change after reboot using the same password, in both the "Enroll │
│ MOK" and "Change Secure Boot state" menus that will be presented to you │
│ when this system reboots. │
│ │
│ If you proceed but do not confirm the password upon reboot, Ubuntu will │
│ still be able to boot on your system but any hardware that requires │
│ third-party drivers to work correctly may not be usable. │
│ │
│ <Ok> │
│ │
└───────────────────────────────────────────────────────────────────────────┘
This leads to a second screen asking for a new password. There is a <Cancel> option, but selecting it merely loops back to the first screen.
Hitting C-c (Control-c) has no effect.
There are validity rules for the password, but they are presented only after you've entered an invalid password, twice, the second time to confirm.
After this installation proceeds, then terminates with a warning:
DKMS: install completed.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.9) ...
W: Operation was interrupted before it could finish
I suspect that's just because you're trying to install an old version (as I wrote sysdig used to have a kernel extension but now should use eBPF functionality provided in stock kernels). I can't easily verify (no ubuntu at hand), but presumably if you install the vendor supplied, up-to-date version (first google hit I found: https://www.linuxcapable.com/how-to-install-sysdig-on-ubuntu...) it will work without UEFI changes.
I had to do this to figure out where Cold Steel was reading save files from years back: https://vaughanhilts.me/blog/2018/02/16/playing-trails-of-co...