Whether to support users, ensure their security, or meet compliance goals, organizations need to deploy monitoring of their desktop machines. Yet, many approaches overreach by effectively being rootkits. In this presentation, we'll examine:
* What data a monitoring system needs to collect
* Where the data we need lives on a modern Linux desktop
* Which data sources expose sandbox-friendly API access
* Sandboxing the monitoring daemon itself
