Hello,
On Fri, Jan 11, 2019 at 10:33:39PM +0300, Reco wrote:
> On Fri, Jan 11, 2019 at 08:28:18PM +0100, basti wrote:
> > is there a way to monitor processes that access /dev/urandom
>
> auditctl -w /dev/urandom -r
>
> remove it with
>
> auditctl -D
Note also that one should not really be concerned with reads from
urandom because this does not deplete the entropy pool, i.e. urandom
is inexhaustible.
/dev/random is the one which blocks, but I should think that reading
directly from either device is now deprecated in favour of system
calls, which are not going to open and read a device file. So
tracing that will not provide what is ultimately wanted, though it
does satisfy the letter of the request.
I think getrandom is supposed to be used these days:
https://manpages.debian.org/stretch/manpages-dev/getrandom.2.en.html
So indeed as you suggest, a different kind of tracing like BPF will
be more appropriate. That's beyond me at that point, though.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
