[dtrace-discuss] Re: Re: How to monitor any access to a specific file using drace

Tue Jan 23 00:03:36 PST 2007

G'Day Zhijun, David,

On Tue, Jan 23, 2007 at 01:28:34PM +0800, Zhijun Fu wrote:
> Hello David,
>    Not familiar with SunSHILED, but I guess you can monitor the disired 
> access via VFS functions.
> I've attached a simple D-script which can monitor that.It is far from 
> enough at this moment,and certainly needs further polishing.
> Just try to give an example.

Yes, this script is an example that shows what it can be like to trace at
the VFS layer. There is still much work to turn this into something
that is suitable for *security* monitoring. For example, the vnode->v_path
cached string had been provided for observability value, not security
auditing. In earlier Solaris 10 there were situations where v_path was
not correct; a discussion about this was at:

http://www.opensolaris.org/jive/thread.jspa?messageID=31616&#31616

AFAIK on newer builds of Solaris the file rename issue has been fixed; 
although additional hard link activity will still need to be traced.

Getting this figured out is still only one part of the problem; the
steps I would take are:

   1) write a script that monitors all activity to a given pathname.
   2) verify that this works by writing a test suite.
   3) enhance the script to log dropped events under load and to do
      something appropriate if the logging file system fills up.
   4) write a test suite to verify that the script behaves as expected
      under pressure and when the file system fills.

To achieve 1), it would help to have a good understanding of the VFS layer;
Chapter 14 of Solaris Internals 2nd edition is a great reference.
Also, in the long run it can save some time to write the test suites first.

If this seems like a lot of work, then try SunSHIELD which already 
provides file monitoring (although not for specific files), and can
already deal with issues described under 3).

no worries,

Brendan

-- 
Brendan
[CA, USA]