[dtrace-discuss] Re: How to monitor any access to a specific file using drace

Brendan Gregg - Sun Microsystems brendan at sun.com
Mon Jan 22 03:10:59 PST 2007 

G'Day David,

On Mon, Jan 22, 2007 at 01:14:16AM -0800, David Chen wrote:
> fds[] array is not supported yet in my system.
> 
> Firstly I wonder if I can use the syscall::open:entry to monitor "any access" to the specific file(or most regular operations), I tried following script:

You'll also want to match open64, eg, syscall::open*:entry.

> #!/usr/sbin/dtrace -qs
> syscall::open:entry
> {printf("execname=%s,filename=%s\n",execname,copyinstr(arg0));}

This will show most file opens. To catch them all, the copyinstr(arg0)
needs to happen on the open:return (once we know the path string has 
been faulted in).

At the syscall layer you can match on the pathname. But what if someone
creates another hardlink to the file? This would allow them to access
the file under a different pathname, and avoid monitoring. There are
a number of options available to solve this, such as,

   - monitor all file activity, including hard link creation.
   - monitor by vnode at the VFS layer, not at the syscall layer

> from the lots of outputs, I can see some operations such as "cat", "more", "cp", "vi", "rm", "touch" ... to the specific file are catched, but how can I filter out the un-needed outputs? From the outputs, it seems it can't be done from comparing the filename with the "specific filename".

Check out predicates in the DTrace guide; apart from a direct match on
a string using "==", an strstr() function has been added which behaves
similar to the C version - and will allow partial matches.

Of course, if you were troubleshooting an issue using DTrace, you could
simply dump all output through grep or egrep.

> for example for "cat" command, I get:
> execname=cat,filename=/var/ld/ld.config
> execname=cat,filename=/lib/libc.so.1
> execname=cat,filename=/platform/SUNW,Ultra-80/lib/libc_psr.so.1
> 
> for "vi" command, I get:
> execname=vi,filename=test
> but there should be relative path/obsolute path issue.

There are a number of ways to get absolute paths; I wrote one technique
in pathopens.d for the DTraceToolkit - although that was some time ago,
there may be better ways to do this these days.

> Pls help figure out what enhancements need in the script to implement monitoring "any access" to the specific file.

DTrace is a fantastic troubleshooting tool; but "monitoring" is a different
task that needs consideration. Is this security monitoring? Solaris's
BSM auditing (aka SunSHIELD) may already solve your monitoring needs - 
and so while DTrace may work (and is much more customisable), you may
be reinventing some functionality.

And if it is security monitoring -- what should happen if there were
more events that the system could record. Should the system stop?
continue but drop events? drop and log the fact events were dropped? ...

Brendan

-- 
Brendan
[CA, USA]

More information about the dtrace-discuss mailing list