Linux Tracing in Go

Linux provides powerful tracing mechanisms, allowing its users to investigate all the details of running processes, system calls, privilege changes and much more. However, they’re historically difficult to use. What if I told you those mechanisms were as easily accessible as a web service using Go?

Having visibility into your operating systems internal activity is an invaluable asset for monitoring, debugging, and security. However, gaining that visibility into things like running processes, file activity or privilege escalations is a challenging and often intimidating task. The Linux kernel actually provides many different mechanisms for tracing such as audit, strace, perf, kprobes, eBPF and many more. But how can we even begin without having years of systems experience?

Using tools written entirely in Go, programmers with even the bare minimum of experience can know everything happening on their system from file activity to process privilege escalation. Monitoring processes, system calls, container events, and privilege changes can be accessible by simply using idiomatic Go conventions in the same way you’d access a web service.

This talk will start with an introduction to Linux tracing history, concepts, and architecture followed by highlighting existing work that’s been done in the space. The majority of the session will be live coding increasingly complex and useful examples that aim to prove how easy it is to gain insight about your operating systems activity straight from everyone’s favorite programming language. Attendees will walk away with a strong understanding of Linux tracing, its potential applications, and a sense of empowerment to start tracing their OS themselves!

I’m pretty early in my career but I’ve been working with Go for two years now, and Linux for five or six. At my current job and when I was at Red Hat I learned a ton about the underpinnings of the OS and have gotten really into making operating system internals more accessible. For example I made a pretty nifty tool for generating security profiles called karn. I’m very passionate about the contents of my talk and I know that would show when presenting. I’ve presented at a bunch of New York meetups but this would be my first talk at a conference. Thank you in advance for the opportunity to speak at GothamGo!

P.S. the working title of this talk was originally “Go Hard or Go Home: If You’re Not Linux Tracing, You’re Linux Faking”