Syscall Auditing at Scale
Ryan Huber

> sysdig requires a kernel module be loaded on each machine.

Why is that an issue?

There’s a tremendous advantage of sysdig over auditd: sysdig can capture all the arguments to syscalls, including string buffers. This is enormously valuable for performing post mortems, as you can look at all unencrypted communications taking place on the server.

See, e.g., for an example.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.